Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

browsing closed vanilla forums without signing in

edited July 2007 in Vanilla 1.0 Help
Problem: If your browser ignores redirects you can browse a closed forum without logging in. Description: If the browser doesn't have a login cookie and tries to browse a forum that only allows signed in users, Vanilla will send a redirect to the login page. If the browser ignores the redirect THE PAGE WILL STILL BE RENDERED! is a Vanilla 1 forum that requires users to sign in to browse the site. This link shows the HTTP header response of a page that should require login: Solution: Don't just call header("Location: people.php?PageAction=SignOutNow"); to redirect. Send the redirect location, and then exit the script.


  • MarkMark Vanilla Staff
    I could have sworn I called die() after the redirect...
  • MarkMark Vanilla Staff
    edited July 2006
    Okay, if anyone wants a fix for this before the next minor revision is released, open up library/People/People.Class.Session.php and change the Check method to look like this:

    function Check(&$Context) { if (($this->UserID == 0 && !$Context->Configuration['PUBLIC_BROWSING']) || ($this->UserID > 0 && !$this->User->PERMISSION_SIGN_IN)) { if ($this->UserID > 0 && !$this->User->PERMISSION_SIGN_IN) $this->End($Context->Authenticator); header('location: '.AppendUrlParameters($Context->Configuration['SAFE_REDIRECT'], 'ReturnUrl='.GetRequestUri())); die(); } }

    If you are still running your forum off subversion, just svn update and the fix will be in place.
  • Do search engine bots typically respect redirects?
  • MarkMark Vanilla Staff
    I don't know...
  • Jul 6th 2006 was the last post? I came to these forums to report this bug as a major security risk. I downloaded Vanilla 1.1.2 yesterday (July 6th 2007 ironically enough), and still found these errors. Anyone using telnet, or a modified browser can sail past these redirects (I got one of our servers hacked with this hole once). In /settings.php, this shows up: if (!$Allowed) header('location:'.GetUrl($Configuration, 'index.php')); If you're not logged in (not allowed) you should get redirected to the main forum page.. else you get the settings page. It's easy to get into restricted places: (Real log, but with details changed to protect some of my info) ('forums' is the vanilla base folder) eltoro:~ monit$ telnet 80 Trying Connected to Escape character is '^]'. GET /forums/settings.php HTTP/1.1 Host: HTTP/1.1 302 Found Date: Sat, 07 Jul 2007 11:53:46 GMT Server: Apache/1.3.33 (Darwin) PHP/5.0.1 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7l PHP/4.4.4 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-Powered-By: PHP/5.0.1 Last-Modified: Sat, 07 Jul 2007 11:53:47 GMT Pragma: no-cache Set-Cookie: PHPSESSID=j0hnkf429c6coiejdoc7o7jr97; path=/forums/; location: Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 fd2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" ""> <html xmlns="" xml:lang="en-ca"> <head> <title>NINI Forums - Administrative Settings</title> ... ... Now, the folks above are correct, the solution is fairly simple: header("Location:"); exit(); I really suggest someone append that extra command. I apologize though if I don't have the time/energy to get in on the official development process myself.
  • Interesting find, I'll drop Mark an e-mail to see what he thinks.
  • For the standard vanilla settings pages, this just retrieves empty template pages--nothing in the panel, no options, no text other than what is defined in the language file.

    It could be possible some extension might reveal more than intended--and some POSTs get through if the writer is assuming the core will prevent access.

    Fix would be to replace line 43 of your-vanilla/settings.php to this:if (!$Allowed) { header('Location: '.GetUrl($Configuration, 'index.php')); exit(); }
  • Indeed.
  • MarkMark Vanilla Staff
    This change has now been committed to the core.
This discussion has been closed.