2009-08-10, 08:26 AM
Sorry, if this is sounds like a suggestion thingie,
i'm still tendence post it here coz it is more like a bug for me, and i hope developer team can fix this on next version.
---------------
Dear MyBB Group,
I want to report some kind of bugs, uhm no, it's not really a bugs i think,
Im using your latest version, 1.4.8,. and it's workin good.
ok, let say this is just a low level in critical security.
It's all about Mybb's cookie,. the way it created with my_setcookie for keyname mybbuser,
i think it's very easy for user to exchange their cookie just to make authorization and get login.
mmphh, sorry my bad english . --__--''
ok,. here's the thing i founded when i'm encountering the problem,.
my friend (on the same board with me) gimme his mybbuser cookie,. and i'm tryin to use that by injecting cookie to Opera or Firefox with Cookie Editor or wotsoever,. and bang,. im in, with my friend's ID.
U might not see this as a big problem, dont you?, but errr, a couple day ago, one of staff moderator in my forum, got hacked,.
someone else use his ID, and posting a weird thing. Leak VIP stuff, steall it, and moreover,. And my friend denied that he do that.
i dont know which is trigger this problemo,.
maybe this is human error with my staff,
or maybe this human error (again) that my staff got keylogger or trojan,
no matter wot/how it is, i think i'd just offer you some good solution for these,.
the way to create mybbuser cookie with mysetcookie,
is not secure enough if we just joining userID."_".loginkeyHash
maybe there's another better solution but this is one of my way patching the board just to prevent user exchange their cookie, or stolen by accident with keyloger or some kind like that.
Thx God, (well, i hope) there's no XSS left on this version, .. :o
some function that i need, placed in function.php
:
/*-------------------*/
--Declined--
Thanks,. for ya attention,.
keep rockin' ,. \m/
Salam,.
::Idx.
i'm still tendence post it here coz it is more like a bug for me, and i hope developer team can fix this on next version.
---------------
Dear MyBB Group,
I want to report some kind of bugs, uhm no, it's not really a bugs i think,
Im using your latest version, 1.4.8,. and it's workin good.
ok, let say this is just a low level in critical security.
It's all about Mybb's cookie,. the way it created with my_setcookie for keyname mybbuser,
i think it's very easy for user to exchange their cookie just to make authorization and get login.
mmphh, sorry my bad english . --__--''
ok,. here's the thing i founded when i'm encountering the problem,.
my friend (on the same board with me) gimme his mybbuser cookie,. and i'm tryin to use that by injecting cookie to Opera or Firefox with Cookie Editor or wotsoever,. and bang,. im in, with my friend's ID.
U might not see this as a big problem, dont you?, but errr, a couple day ago, one of staff moderator in my forum, got hacked,.
someone else use his ID, and posting a weird thing. Leak VIP stuff, steall it, and moreover,. And my friend denied that he do that.
i dont know which is trigger this problemo,.
maybe this is human error with my staff,
or maybe this human error (again) that my staff got keylogger or trojan,
no matter wot/how it is, i think i'd just offer you some good solution for these,.
the way to create mybbuser cookie with mysetcookie,
is not secure enough if we just joining userID."_".loginkeyHash
maybe there's another better solution but this is one of my way patching the board just to prevent user exchange their cookie, or stolen by accident with keyloger or some kind like that.
Thx God, (well, i hope) there's no XSS left on this version, .. :o
some function that i need, placed in function.php
:
/*-------------------*/
--Declined--
Thanks,. for ya attention,.
keep rockin' ,. \m/
Salam,.
::Idx.