Potential Security Issue
 

Today we have had 2 members join, whos ips match 2 of our senior moderators.

Now , our mods have denied that they have set up a new acct,.... so can someone explain.

Is their a security flaw?

Someone is obviously, going to the trouble of obtaining our users IP addresses, then signing up , using a bogus IP addy, that matches our Mods.

Sounds Bizarre but true. Currently have VBSEO online with us, assisting with Suhosin settings

Can anyone please explain how this vulnerability can happen ?

I happened to check on a friends forum the night before last... I logged in and saw (1 Viewing) beside an admin forum... I looked @ WOL and only me and one other member w/ no guest so I clicked the sub-forum and it had the member listed as viewing their admin forums.

Oddly enough they had setup a general admin account a while back when on 3.6 to post RSS feeds and guess what? The users IP matched the admin accounts IP.

So same question here as it sounds oddly familiar to yours TimberFloorAU except they do not use vBSEO (Gamer forums no need etc).

Very weird huh Michael.

We appear to have suhosin re enabled, but our host hasnt been totally helpful, asking us to enable it within easy apache. But it is enabled, the coder over at vbseo, stated via shell access that we do seem to have a misconfigured suhosin... so perhaps that is the issue.

He however managed to fix this via a htaccess fix, but I am still concerned as to this security issue, and how it is/has been exploited.

Ste

If you think there is a security issue, you really should post about it over on vb.com since the vb.com guys don't come over here to read about things like this.

I have posted this now over at vb.com

One of our admins, has spotted a peculiarity.

We have the New Member Auto Greeting
https://vborg.vbsupport.ru/showthread.php?t=214702

It appears that whoever greets the new member, that new member then posesses that "greeters" IP.

Weird huh !! Will post on the thread of the mod.

Ste

Yes this is weird... Glad to see more being found out about this Timber ;) however the forum I found this on does not have that mod installed but it does point out the problem with having the same IP, security risk IMO.

What I did, Because the welcome threads get people talking, and I can't find another mod like it, was to create a user called "welcome Party" that is basically a bot that never logs on.
It only replicated the I.P's in the welcome threads tho ?

And those forums I bet are public or viewable to guest and the rest are permission'ed for usergroups right?

The mod creates a post based on a user registering, so it naturally attaches the IP of the User registering to the thread created. And since your username is used by the mod to create the thread, the same IP attached to the thread also gets attached to your account as one you have used. It is not really a security risk at all.

And if you do not want it attaching another IP to your account someone already posted how you can attach a specific IP to those threads instead of VB automatically attaching the users IP to your account.