Login page a different user.

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
dpiquette
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Aug 25, 2007 2:42 am

Login page a different user.

Post by dpiquette » Tue Aug 26, 2008 12:12 am

I have searched and been unable to find a solution.

I have a site with a hand full of users....when I go to the site I sometimes see the most recent user session on the login screen...this allows me access to secured parts of the site..but after a couple of clicks it does eventually ask to enter a proper id and password.

Question is how come the sessions are living between 2 different users on 2 different computers.

mattfaulds
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue May 27, 2008 10:12 am

Re: Login page a different user.

Post by mattfaulds » Tue Aug 26, 2008 7:42 pm

I've seen the same problem too and can't find an answer. This is worrying and I need to find a solution pretty soon.

gudon
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Aug 12, 2008 12:24 pm

Re: Login page a different user.

Post by gudon » Tue Aug 26, 2008 8:15 pm

I had this as well, the next day, I got an email from Joomla explaining to me I need to update. I saw what the security risk was, and it almost 100% explained how they might have managed to hack my site.

A few days ago, I tried to log in, wrong password. In MySQL I saw that my password hashes differed from another account I had, with the same password. I override the password hash with my other account's hash, and then could log in. Clearly the user must have hacked it the same way last time. Thank goodness nothing was lost, but this hacker will strike again.

Joomla must fix this ASAP, or else a lot of users will be looking at another CMS. P.S. My site is now offline, and I'm reviewing CMS's till Joomla can fix this.

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Wed Aug 27, 2008 1:46 am

gudon wrote:Joomla must fix this ASAP, or else a lot of users will be looking at another CMS. P.S. My site is now offline, and I'm reviewing CMS's till Joomla can fix this.
It was actually fixed over 2 weeks ago... You just decided not to look and to point fingers...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

dpiquette
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Aug 25, 2007 2:42 am

Re: Login page a different user.

Post by dpiquette » Wed Aug 27, 2008 2:00 am

sorry ircmaxell; can you point me to the link on how to fix this :-[

much appreciated

mattfaulds
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue May 27, 2008 10:12 am

Re: Login page a different user.

Post by mattfaulds » Wed Aug 27, 2008 5:21 am

Just to point out that this is with 1.5.6....

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Wed Aug 27, 2008 10:49 am

mattfaulds wrote:Just to point out that this is with 1.5.6....
Are you running Community Builder?
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

gudon
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Aug 12, 2008 12:24 pm

Re: Login page a different user.

Post by gudon » Wed Aug 27, 2008 11:48 am

ircmaxell wrote:
gudon wrote:Joomla must fix this ASAP, or else a lot of users will be looking at another CMS. P.S. My site is now offline, and I'm reviewing CMS's till Joomla can fix this.
It was actually fixed over 2 weeks ago... You just decided not to look and to point fingers...
I'm running 1.5.6 (Latest) - and this still happend... Even though I've updated!

dpiquette
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Aug 25, 2007 2:42 am

Re: Login page a different user.

Post by dpiquette » Wed Aug 27, 2008 12:10 pm

Are you running Community Builder?
Yes I am....should I follow up on their forum?

* JCal Pro
* J! v1.5.6
* PHP 5.2.3
* MySQL 5
* JCal theme - default
* J! English
* CB 1.2 RC 2

mattfaulds
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue May 27, 2008 10:12 am

Re: Login page a different user.

Post by mattfaulds » Wed Aug 27, 2008 12:19 pm

I'm using CB 1.2 RC2

Would a webaddress/login be helpful? I could PM....

gudon
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Aug 12, 2008 12:24 pm

Re: Login page a different user.

Post by gudon » Wed Aug 27, 2008 7:46 pm

I've installed community builder with the hopes to not have any funny stuff happening to my admin account out of nowhere anymore...

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Wed Aug 27, 2008 10:31 pm

PLEASE retest WITHOUT CB... It sounds like it's time for a security audit of it (this is not the first time I've heard "something" like this happening with CB installed)... I'll get back to you in a day or 3...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

gudon
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Aug 12, 2008 12:24 pm

Re: Login page a different user.

Post by gudon » Thu Aug 28, 2008 8:29 am

I never had CB installed when this happend >:(

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Login page a different user.

Post by Beat » Thu Aug 28, 2008 3:12 pm

ircmaxell wrote:PLEASE retest WITHOUT CB... It sounds like it's time for a security audit of it (this is not the first time I've heard "something" like this happening with CB installed)... I'll get back to you in a day or 3...
FYI, CB 1.2 beta 6 went through a full source code security audit, and only one extremely minor item got reported and fixed for CB 1.2 RC 1.

CB's security track compares quite well with other web-software and extensions these days, especially given the scope and size of CB. ;)

Only reported issues today are in very old versions, and we currently don't know of any confirmed open security issue, while always spending lots of time to analyze security issues around CB.

Last few problems we saw with such a thing was due to a damaged joomla install, or a Joomla 1.5 install before 1.5.6. Reinstalling joomla and cb solved the issue.

I'm not saying that everything is 100% secure, but that we are taking security very seriously, and are very open to improve it further, and looking forward to your security audit of latest CB 1.2 RC 2 8)
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

lib_mrducks
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Aug 28, 2008 10:33 pm

Re: Login page a different user.

Post by lib_mrducks » Thu Aug 28, 2008 10:44 pm

Hello all,

I just registered an account specifically due to this problem. I'm running a fresh install of 1.5.6 and having the same issue. I will log in with my admin account and at times after a few minutes my login greeting will change to that of some other user. I'm then able to poke around the site as that user without challenge. My concern is that some random user might end up with my admin rights and cause some problems. Just started happening a few hours ago, have had the site up and running for about 4 days now. I'm not running CB, but I do have FireBoard installed (latest stable version), as well as a bridge for my G2 gallery.

It's possible this is caused by either of those two addons...but if so, why did it wait to start a few hours ago when the site has been getting consistent traffic since day one?

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: Login page a different user.

Post by brad » Thu Aug 28, 2008 11:06 pm

lib_mrducks wrote:Hello all,

I just registered an account specifically due to this problem. I'm running a fresh install of 1.5.6 and having the same issue. I will log in with my admin account and at times after a few minutes my login greeting will change to that of some other user. I'm then able to poke around the site as that user without challenge. My concern is that some random user might end up with my admin rights and cause some problems. Just started happening a few hours ago, have had the site up and running for about 4 days now. I'm not running CB, but I do have FireBoard installed (latest stable version), as well as a bridge for my G2 gallery.

It's possible this is caused by either of those two addons...but if so, why did it wait to start a few hours ago when the site has been getting consistent traffic since day one?
Are you also sure it is not a server side, perhaps caching issue?
Brad Baker
https://xyzuluhosting.com
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Fri Aug 29, 2008 10:56 am

Ok... I've built a POC script which SHOULD have caused this (session collisions) if it was a core issue. After over 1 million requests, with over 25,000 sessions, not a single collision... To me, it looks pretty likely that it's not a core issue... Please try removing all bridges and remove CB, and retest. If anyone can get it to consistently happen on their server (WITHOUT any 3pd extensions), please PM me...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Login page a different user.

Post by Beat » Fri Aug 29, 2008 2:25 pm

Cool that you wrote a POC for this 8)
lib_mrducks wrote: ... I'm not running CB...
gudon wrote:I never had CB installed when this happend >:(
Looks like CB is not involved in this problem.

I have also reviewed the code for JFactory:GetUser() which is used to get the logged-in user in Joomla 1.5.6, and unless there is a problems with your PHP sessions, I don't think that there is a problem.

Now maybe another track:

1) which sessions handler do you have set in the backend global configuration of joomla ?
2) if you change the sessions handler, does the problem persist ?
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

dpiquette
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Aug 25, 2007 2:42 am

Re: Login page a different user.

Post by dpiquette » Fri Aug 29, 2008 3:02 pm

...would it have to do with the cache?
I am running my site on IIS 5 on a W2K server.

Was the test done using Apache?


ultimately ...there is a problem because it happening with more then one site..

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Fri Aug 29, 2008 4:42 pm

dpiquette wrote:...would it have to do with the cache?
I am running my site on IIS 5 on a W2K server.

Was the test done using Apache?


ultimately ...there is a problem because it happening with more then one site..
Well.... The test was not using Apache, it was done using LIGHTTPD... BUT, the server doesn't make a difference. What would, is the SAPI... What SAPI (Server API: CGI, FastCGI, mod_php, etc) are you using? What version of PHP? Could you provide a phpinfo page? Also, what session storage are you using? What 3pd extensions (PLUGINS and COMPONENTS)...

Besides, IIS is not "officially" supported at this time. Please see http://help.joomla.org/content/view/1938/310/ the minimum requirements...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

dpiquette
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Aug 25, 2007 2:42 am

Re: Login page a different user.

Post by dpiquette » Fri Aug 29, 2008 5:37 pm

Here's my configuration

* JCal Pro
* J! v1.5.6
* PHP 5.2.3
* MySQL 5
* J! English
* CB 1.2 RC 2

Here's the phpinfo link for my site ---> http://www.hockeyhost.ca/atom/phpinfo.php
Besides, IIS is not "officially" supported at this time. Please see http://help.joomla.org/content/view/1938/310/ the minimum requirements...
Just in the process of switching over to Apache.

here's my session storage settings.
Image

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Login page a different user.

Post by Beat » Fri Aug 29, 2008 9:20 pm

dpiquette wrote:Here's my configuration

* JCal Pro
* J! v1.5.6
* PHP 5.2.3
* MySQL 5
* J! English
* CB 1.2 RC 2

Here's the phpinfo link for my site ---> http://www.hockeyhost.ca/atom/phpinfo.php
Besides, IIS is not "officially" supported at this time. Please see http://help.joomla.org/content/view/1938/310/ the minimum requirements...
Just in the process of switching over to Apache.

here's my session storage settings.
Image
Befdore you switch over, could you please try the other session settings, so we have one variable changing at a time ?

Thanks :)
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Login page a different user.

Post by Beat » Fri Aug 29, 2008 9:25 pm

ircmaxell wrote:
dpiquette wrote:...would it have to do with the cache?
Besides, IIS is not "officially" supported at this time. Please see http://help.joomla.org/content/view/1938/310/ the minimum requirements...
Hm, Joomla still recommending PHP 4.4.7 ? :eek:

PHP 4.x officially doesn't have any security releases anymore since 08.08.08... Maybe time to recommend PHP 5.2, and actually PHP 5.2.6, as some of the releases between 5.2.0 and 5.2.5 included, if not security-patched, had serious security vulnerabilities ?
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

dpiquette
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Aug 25, 2007 2:42 am

Re: Login page a different user.

Post by dpiquette » Fri Aug 29, 2008 9:30 pm

Befdore you switch over, could you please try the other session settings, so we have one variable changing at a time ?
I just finished getting everything working in Apache....

but the switch over is easy enough.

Back to unsupported IIS ;)

I also tested the session storage as DATABASE...and the frequency of the "login page a different user error" occurred more often...
Last edited by dpiquette on Fri Aug 29, 2008 10:24 pm, edited 1 time in total.

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Fri Aug 29, 2008 9:42 pm

Please install a fresh install of 1.5 on that server (NO EXTENSIONS), and test it there...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

dpiquette
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Aug 25, 2007 2:42 am

Re: Login page a different user.

Post by dpiquette » Fri Aug 29, 2008 10:00 pm

ircmaxell wrote:Please install a fresh install of 1.5 on that server (NO EXTENSIONS), and test it there...
Sure...can you point your POC script to my site....BUT throttle the hits down a fraction or 2? :'(

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Fri Aug 29, 2008 10:26 pm

dpiquette wrote:
ircmaxell wrote:Please install a fresh install of 1.5 on that server (NO EXTENSIONS), and test it there...
Sure...can you point your POC script to my site....BUT throttle the hits down a fraction or 2? :'(
PM me please?
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

lib_mrducks
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Aug 28, 2008 10:33 pm

Re: Login page a different user.

Post by lib_mrducks » Sun Aug 31, 2008 6:00 pm

Hello gentlemen,

Just wanted to thank you for your replies and give you an update on my situation...

As previously stated this appears to be a cache related issue. With my G2 bridge, all was well until another admin went crazy on caching and turned on both the G2 session cache and the Joomla cache. Looks like the session cookies were getting confused by the same domain handing out conflicting credentials (or session timeouts). I initially turned off all caching by setting the G2 to "no acceleration" and disabling the system cache module in Joomla. Ran it for a day, and no more burps. As I have buttloads of images in my G2 gallery, I enabled partial acceleration. Ran fine for a bit, at least until the session cookies there started expiring and them back to the same problem.

I eventually ended up turning off all internal application caching inside of Joomla and G2, and installed a PHP accelerator. Now the site is much, much faster (by a magnitude of 10 :-) ), and no more login / session errors.

Hope this helps someone out there...

Regards,
Brian

lib_mrducks
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Aug 28, 2008 10:33 pm

Re: Login page a different user.

Post by lib_mrducks » Sun Aug 31, 2008 6:02 pm

Just to be clear here...cache related issues when using the G2 connector. Never had a problem with straight Joomla install, so core is fine from what I can see and verify....
lib_mrducks wrote:Hello gentlemen,

Just wanted to thank you for your replies and give you an update on my situation...

As previously stated this appears to be a cache related issue. With my G2 bridge, all was well until another admin went crazy on caching and turned on both the G2 session cache and the Joomla cache. Looks like the session cookies were getting confused by the same domain handing out conflicting credentials (or session timeouts). I initially turned off all caching by setting the G2 to "no acceleration" and disabling the system cache module in Joomla. Ran it for a day, and no more burps. As I have buttloads of images in my G2 gallery, I enabled partial acceleration. Ran fine for a bit, at least until the session cookies there started expiring and them back to the same problem.

I eventually ended up turning off all internal application caching inside of Joomla and G2, and installed a PHP accelerator. Now the site is much, much faster (by a magnitude of 10 :-) ), and no more login / session errors.

Hope this helps someone out there...

Regards,
Brian

dpiquette
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Aug 25, 2007 2:42 am

Re: Login page a different user.

Post by dpiquette » Mon Sep 01, 2008 3:29 pm

Well..I've been running a base install of 1.5.6 and haven not been able to reproduce the problem.

Remembering my original configuration

* JCal Pro
* J! v1.5.6
* PHP 5.2.3
* MySQL 5
* JCal theme - default
* J! English
* CB 1.2 RC 2

I will now install CB 1.2RC and will continue to test.


Locked

Return to “Security in Joomla! 1.5”