The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
Potential Security Issue
Today we have had 2 members join, whos ips match 2 of our senior moderators.
Now , our mods have denied that they have set up a new acct,.... so can someone explain. Is their a security flaw? Someone is obviously, going to the trouble of obtaining our users IP addresses, then signing up , using a bogus IP addy, that matches our Mods. Sounds Bizarre but true. Currently have VBSEO online with us, assisting with Suhosin settings Can anyone please explain how this vulnerability can happen ? |
#2
|
||||
|
||||
Quote:
Oddly enough they had setup a general admin account a while back when on 3.6 to post RSS feeds and guess what? The users IP matched the admin accounts IP. So same question here as it sounds oddly familiar to yours TimberFloorAU except they do not use vBSEO (Gamer forums no need etc). |
#3
|
||||
|
||||
Very weird huh Michael.
We appear to have suhosin re enabled, but our host hasnt been totally helpful, asking us to enable it within easy apache. But it is enabled, the coder over at vbseo, stated via shell access that we do seem to have a misconfigured suhosin... so perhaps that is the issue. He however managed to fix this via a htaccess fix, but I am still concerned as to this security issue, and how it is/has been exploited. Ste |
#4
|
||||
|
||||
If you think there is a security issue, you really should post about it over on vb.com since the vb.com guys don't come over here to read about things like this.
|
#5
|
||||
|
||||
I have posted this now over at vb.com
One of our admins, has spotted a peculiarity. We have the New Member Auto Greeting https://vborg.vbsupport.ru/showthread.php?t=214702 It appears that whoever greets the new member, that new member then posesses that "greeters" IP. Weird huh !! Will post on the thread of the mod. Ste |
#6
|
||||
|
||||
Quote:
|
#7
|
|||
|
|||
Quote:
It only replicated the I.P's in the welcome threads tho ? |
#8
|
||||
|
||||
And those forums I bet are public or viewable to guest and the rest are permission'ed for usergroups right?
|
#9
|
|||
|
|||
The mod creates a post based on a user registering, so it naturally attaches the IP of the User registering to the thread created. And since your username is used by the mod to create the thread, the same IP attached to the thread also gets attached to your account as one you have used. It is not really a security risk at all.
And if you do not want it attaching another IP to your account someone already posted how you can attach a specific IP to those threads instead of VB automatically attaching the users IP to your account. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|