URL problems that need to be repaired.

[Kimonio]

Only true URL hackers are the geniuses we should fear. They can change one thing and gain access to another.


For example, I was editing my level I had submitted to the LDP and wondered if it was possible to edit someone else's level. It was. Suyo quickly fixed this. Then while Suyo was messing with coding and stuff for levels, I was using Star as my little guinea pig. I had him get the URL that he used to logout and compared it to mine. I noticed that the IDs were different.


When I tested Star's logout, I got this message:

You were not logged out, as the request did not match your session. Please contact the board administrator if you continue to experience problems.

This problem appears to have a solution that already prevents it. php apparently already thought of this and fixed it.


Now then, I'm giving you this topic to state problems you have found by changing URLs so that the staff can fix them as quickly as possible.



Suyo, you may need to make this an announcement so that people can get to this quickly. Also, I may need a table so that I can list the problems, describe them, and say if they've been resolved.

[Suyo]

Well, inside the forums, there can't be something like this. Everything here is top-notch secured.

Different for the LDP. I just found an problem there today. You should check there.

Also, should I deliver a techincal answer why logging out hasn't worked?

[Buff_]

@Kim: We can try it. We can use stuff like this to post in locked topics, no?

@Suyo: DOES THAT MEAN WE CAN SPAM WITHOUT YOU KNOWING! OMGOMGOMG!?

[Kimonio]

Sure, Suyo. Broaden my education. Teach me other stuff about the internet.

[Suyo]

Well, bascially every user has one Session ID - short, sid.

It gets saved in the database like this:




Now, if we want to log out, maybe you noticed the sid in the URL. If Kim wants to log out, phpbb checks first in the sid table.





Now they compare the sid from the URL.

If the URL would be http://www.runouw.com/forums/ucp.php?mode=logout&sid=hjisduhsdgiadsg3278923z7sdffc, the sids would match and Kim gets logged out.
Now if the URL would be http://www.runouw.com/forums/ucp.php?mode=logout&sid=sdjdgopgd327093fsakjnfs, I won't get logged out. phpbb compares only to the sid next to the name of the user who clicked the link/entered the URL. Either that user gets logged out or no one gets logged out.

Same for posting, deleting posts, changing the profile etc.

[Kimonio]

But say someone got the bright idea to log another user off from the LDP......would that work?

[Suyo]

No, since forum and LDP login are linked. Try to login on the main site and see where you end up :o

[TrappedTime]

Wait, WHAT?

So what's up with the URLs?
How do they change at all?

[Kimonio]

TBG, let me help you.


posting.php?mode=reply&f=11&t=6172

Change the 2 to a 4.


posting.php?mode=reply&f=11&t=6174





That's how you change it. Amazed?