browsing closed vanilla forums without signing in
Problem: If your browser ignores redirects you can browse a closed forum without logging in.
Description: If the browser doesn't have a login cookie and tries to browse a forum that only allows signed in users, Vanilla will send a redirect to the login page. If the browser ignores the redirect THE PAGE WILL STILL BE RENDERED!
http://spacetuna.com/forum is a Vanilla 1 forum that requires users to sign in to browse the site. This link shows the HTTP header response of a page that should require login:
http://web-sniffer.net/?url=http%3A%2F%2Fwww.spacetuna.com%2Fforum%2Fcomments.php%3FDiscussionID%3D541&submit=Submit&http=1.1&type=GET&ua=Mozilla%2F5.0+%28Macintosh%3B+U%3B+Intel+Mac+OS+X%3B+en-US%3B+rv%3A1.8.0.4%29+Gecko%2F20060508+Firefox%2F1.5.0.4+Web-Sniffer%2F1.0.24
Solution: Don't just call header("Location: people.php?PageAction=SignOutNow"); to redirect. Send the redirect location, and then exit the script.
1
This discussion has been closed.
Comments
function Check(&$Context) { if (($this->UserID == 0 && !$Context->Configuration['PUBLIC_BROWSING']) || ($this->UserID > 0 && !$this->User->PERMISSION_SIGN_IN)) { if ($this->UserID > 0 && !$this->User->PERMISSION_SIGN_IN) $this->End($Context->Authenticator); header('location: '.AppendUrlParameters($Context->Configuration['SAFE_REDIRECT'], 'ReturnUrl='.GetRequestUri())); die(); } }If you are still running your forum off subversion, just svn update and the fix will be in place.
It could be possible some extension might reveal more than intended--and some POSTs get through if the writer is assuming the core will prevent access.
Fix would be to replace line 43 of your-vanilla/settings.php to this:
if (!$Allowed) { header('Location: '.GetUrl($Configuration, 'index.php')); exit(); }