browsing closed vanilla forums without signing in

edited July 2007 in Vanilla 1.0 Help
Problem: If your browser ignores redirects you can browse a closed forum without logging in. Description: If the browser doesn't have a login cookie and tries to browse a forum that only allows signed in users, Vanilla will send a redirect to the login page. If the browser ignores the redirect THE PAGE WILL STILL BE RENDERED! http://spacetuna.com/forum is a Vanilla 1 forum that requires users to sign in to browse the site. This link shows the HTTP header response of a page that should require login: http://web-sniffer.net/?url=http%3A%2F%2Fwww.spacetuna.com%2Fforum%2Fcomments.php%3FDiscussionID%3D541&submit=Submit&http=1.1&type=GET&ua=Mozilla%2F5.0+%28Macintosh%3B+U%3B+Intel+Mac+OS+X%3B+en-US%3B+rv%3A1.8.0.4%29+Gecko%2F20060508+Firefox%2F1.5.0.4+Web-Sniffer%2F1.0.24 Solution: Don't just call header("Location: people.php?PageAction=SignOutNow"); to redirect. Send the redirect location, and then exit the script.

Comments

  • MarkMark Vanilla Staff
    I could have sworn I called die() after the redirect...
  • MarkMark Vanilla Staff
    edited July 2006
    Okay, if anyone wants a fix for this before the next minor revision is released, open up library/People/People.Class.Session.php and change the Check method to look like this:

    function Check(&$Context) { if (($this->UserID == 0 && !$Context->Configuration['PUBLIC_BROWSING']) || ($this->UserID > 0 && !$this->User->PERMISSION_SIGN_IN)) { if ($this->UserID > 0 && !$this->User->PERMISSION_SIGN_IN) $this->End($Context->Authenticator); header('location: '.AppendUrlParameters($Context->Configuration['SAFE_REDIRECT'], 'ReturnUrl='.GetRequestUri())); die(); } }

    If you are still running your forum off subversion, just svn update and the fix will be in place.
  • Do search engine bots typically respect redirects?
  • MarkMark Vanilla Staff
    I don't know...
  • Jul 6th 2006 was the last post? I came to these forums to report this bug as a major security risk. I downloaded Vanilla 1.1.2 yesterday (July 6th 2007 ironically enough), and still found these errors. Anyone using telnet, or a modified browser can sail past these redirects (I got one of our servers hacked with this hole once). In /settings.php, this shows up: if (!$Allowed) header('location:'.GetUrl($Configuration, 'index.php')); If you're not logged in (not allowed) you should get redirected to the main forum page.. else you get the settings page. It's easy to get into restricted places: (Real log, but with details changed to protect some of my info) ('forums' is the vanilla base folder) eltoro:~ monit$ telnet sito.up.calif.edu 80 Trying 207.180.220.248... Connected to sito.up.calif.edu. Escape character is '^]'. GET /forums/settings.php HTTP/1.1 Host: sito.up.calif.edu HTTP/1.1 302 Found Date: Sat, 07 Jul 2007 11:53:46 GMT Server: Apache/1.3.33 (Darwin) PHP/5.0.1 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7l PHP/4.4.4 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-Powered-By: PHP/5.0.1 Last-Modified: Sat, 07 Jul 2007 11:53:47 GMT Pragma: no-cache Set-Cookie: PHPSESSID=j0hnkf429c6coiejdoc7o7jr97; path=/forums/; domain=sito.up.calif.edu location: http://sito.up.calif.edu/forums/ Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 fd2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-ca"> <head> <title>NINI Forums - Administrative Settings</title> ... ... Now, the folks above are correct, the solution is fairly simple: header("Location: place.com"); exit(); I really suggest someone append that extra command. I apologize though if I don't have the time/energy to get in on the official development process myself.
  • Interesting find, I'll drop Mark an e-mail to see what he thinks.
  • For the standard vanilla settings pages, this just retrieves empty template pages--nothing in the panel, no options, no text other than what is defined in the language file.

    It could be possible some extension might reveal more than intended--and some POSTs get through if the writer is assuming the core will prevent access.

    Fix would be to replace line 43 of your-vanilla/settings.php to this:if (!$Allowed) { header('Location: '.GetUrl($Configuration, 'index.php')); exit(); }
  • Indeed.
  • MarkMark Vanilla Staff
    This change has now been committed to the core.
This discussion has been closed.