PEAK XOOPS - my session hijacked? 
my session hijacked?
- You cannot open a new topic into this forum
- Guests cannot post into this forum
Previous post
-
Next post
|
Parent
-
Children.1
|
Posted on 2006/5/9 16:09
irmtfan
Posts: 96
Posts: 96
i dont know how... even i realy dont believe its a session hijacking ...but someone post with my username (webmaster) in my site forum:
www.jadoogaran.org
my uid=1
i delete the post and ban the poster IP too.
GIjoe i remember your post with the Herko's username a long time ago to show the unsecurity of xoops in that time
now same problem is here.
useing cbb 2.3 ( do you think it is not secure?)
xoops 2.2.4
and protector 2.56 ( im useing protector from its borning time)
autologin for 2.2.4 as well.
and the story is :
i hadthis problem about 2 month ago so ban the IP and everythings were well untill yesterday that i clear my ban IP list and then problem happen again.
www.jadoogaran.org
my uid=1
i delete the post and ban the poster IP too.
GIjoe i remember your post with the Herko's username a long time ago to show the unsecurity of xoops in that time
now same problem is here.
useing cbb 2.3 ( do you think it is not secure?)
xoops 2.2.4
and protector 2.56 ( im useing protector from its borning time)
autologin for 2.2.4 as well.
and the story is :
i hadthis problem about 2 month ago so ban the IP and everythings were well untill yesterday that i clear my ban IP list and then problem happen again.
Votes:5
Average:10.00
GIJOE
Posts: 4110
Posts: 4110
Quote:hmmm...
You should clear the true reason up.
Is it really "session hijacking"?
Of course, there are too many XSS or Script Insertion vulnerable modules in XOOPS.
Almost "HTML allowed module" (== ready to use WYSIWYG eidtor module) are vulnerable in Script Insertion.
Have you turn "Groups disallowed IP moving in a session" about Administrators on ?
(in Protector's preferences)
If this is turned on, it is not so easy to hijack your session.
Quote:That was the fatal vulnerability in the XOOPS core.
In version 2.0.9.2, they had been fixed.
Quote:I don't know CBB well, sorry.
I know 2.2.3 core has XSS vulnerable in its WYWIWYG Editor.
(I don't know it is fixed in 2.2.4 or not)
If you use XSS or Script Insertions vulnerable modules, using autologin makes your site much danger.
At first, turn autologin off.
And change the password of your account.
irmtfan wrote:
i dont know how... even i realy dont believe its a session hijacking ...but someone post with my username (webmaster) in my site forum:
www.jadoogaran.org
my uid=1
i delete the post and ban the poster IP too.
You should clear the true reason up.
Is it really "session hijacking"?
Of course, there are too many XSS or Script Insertion vulnerable modules in XOOPS.
Almost "HTML allowed module" (== ready to use WYSIWYG eidtor module) are vulnerable in Script Insertion.
Have you turn "Groups disallowed IP moving in a session" about Administrators on ?
(in Protector's preferences)
If this is turned on, it is not so easy to hijack your session.
Quote:
hGIjoe i remember your post with the Herko's username a long time ago to show the unsecurity of xoops in that time
now same problem is here.
In version 2.0.9.2, they had been fixed.
Quote:
useing cbb 2.3 ( do you think it is not secure?)
xoops 2.2.4
and protector 2.56 ( im useing protector from its borning time)
autologin for 2.2.4 as well.
I know 2.2.3 core has XSS vulnerable in its WYWIWYG Editor.
(I don't know it is fixed in 2.2.4 or not)
If you use XSS or Script Insertions vulnerable modules, using autologin makes your site much danger.
At first, turn autologin off.
And change the password of your account.
Votes:5
Average:10.00
irmtfan
Posts: 96
Posts: 96
> Have you turn "Groups disallowed IP moving in a session" about Administrators on ?
yes
huum i allow html in some forums and using a wysiwyg editor as well in forums. now going to disallowed them
but i dont think it was a session hijacking... its strange for me so.
>At first, turn autologin off.
no, i cant do it because its very important for my users.
>And change the password of your account.
i do it in the first step
another thanks
yes
huum i allow html in some forums and using a wysiwyg editor as well in forums. now going to disallowed them
but i dont think it was a session hijacking... its strange for me so.
>At first, turn autologin off.
no, i cant do it because its very important for my users.
>And change the password of your account.
i do it in the first step
another thanks
Votes:0
Average:0.00
irmtfan
Posts: 96
Posts: 96
huum another guess:
im using a dial up connection and never click on "logout" in my site.( my fault i know)
so is this possible that my ISP has a long cache and allow to a user to login in site with my id automatically?
im using a dial up connection and never click on "logout" in my site.( my fault i know)
so is this possible that my ISP has a long cache and allow to a user to login in site with my id automatically?
Votes:0
Average:0.00
Previous post
-
Next post
|
Parent
-
No child
|
Posted on 2006/5/11 4:59
GIJOE
Posts: 4110
Posts: 4110
Quote:No.
It is almost impossible.
Don't think such possibilities.
irmtfan wrote:
huum another guess:
im using a dial up connection and never click on "logout" in my site.( my fault i know)
so is this possible that my ISP has a long cache and allow to a user to login in site with my id automatically?
It is almost impossible.
Don't think such possibilities.
Votes:0
Average:0.00
Login