Login page a different user.

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Sat Jan 10, 2009 5:18 pm

cvoogt wrote:My code works for me and since this happens to me on several servers, I suspect the core. Most users wouldn't notice this because most don't know about the System Cache anyway. For me, the problem is only the system cache. The normal cache in Global Config works fine.
Well, the system plugin has nothing to do with the modules. Infact, it won't cahce if a user is logged in... It should have nothing to do with the system plugin...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

cvoogt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 211
Joined: Wed Sep 27, 2006 1:10 am
Location: Sterling, VA, USA
Contact:

Re: Login page a different user.

Post by cvoogt » Sat Jan 10, 2009 6:06 pm

1. agree. Definitely not a security issue, but users and clients will perceive it as such.
2. agree, not a browser cache problem.
3. I'm not sure what the potential problems with the cache might be, but yes, I suppose something could be messed up there, though if I clean my entire cache and try again, it just happens again. I test using separate browsers (Firefox and IE7) to keep my user sessions separate, using two separate Joomla accounts. To reproduce:

1. Have System Cache turned on.
2. I also have the global config's cache on.
3. login with Firefox as "some user" using either Joomla or CB login module. 4. You should see "welcome <username>" as well as a user menu, if you have one.
5. I then go to my site in IE7, and see "welcome <username>" even though I am not logged in there. Sometimes I will see it in another language, since it's a multilingual site, so some users were seeing Chinese when they only speak English.

Update:
Now all of a sudden this issue has stopped happening to me. I have disabled my custom template code, and it is no longer happening. It has been sporadic, so it may happen again.

I have a decent size site - 3000+ articles, 3000+ users, a forum with a bunch of posts, a bookmarks directory with 2000 or so links, and so on. That's a LOT of files to cache, so maybe the problems arise when the cache gets too large?? Or could there be a conflict between the Global Configuration's cache and the System Cache?

phil_roy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 204
Joined: Tue Sep 06, 2005 11:46 am
Location: New Zealand
Contact:

Re: Login page a different user.

Post by phil_roy » Sat Jan 10, 2009 10:22 pm

ircmaxell wrote:1. This is NOT a security issue. Sessions are not conflicting, nobody's "becoming another user", etc.
I'm fairly sure I disagree with that. At the time it happened for me, I was able to see someone else's details...I think. That said, it has been quite some time since I had the cache switched on to try, so my recollection is a bit fuzzy.

I will set up a test version of one of my sites and see what happens. In the meantime, I'll go with your comments until I can prove otherwise.

Phil

cvoogt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 211
Joined: Wed Sep 27, 2006 1:10 am
Location: Sterling, VA, USA
Contact:

Re: Login page a different user.

Post by cvoogt » Sat Jan 10, 2009 11:15 pm

I don't remember being able to actually edit someone else's profile though.

User avatar
KurtSteiner
Joomla! Intern
Joomla! Intern
Posts: 70
Joined: Fri Feb 10, 2006 2:45 am
Location: Hanover, Germany
Contact:

Re: Login page a different user.

Post by KurtSteiner » Sun Jan 11, 2009 10:23 am

ircmaxell wrote: People, let me clarify a few things here
1. This is NOT a security issue. Sessions are not conflicting, nobody's "becoming another user", etc. And since J!'s firing, a person wouldn't see a page he wasn't authorized to see.
Dear Antony,

unfortunatly i totaly disagree :(

Because within this real existing issue, people are able to SEE the Postbox of another user and they can POST in a shoutbox using the identity of another user.

THIS IS A SECURITY Problem, at least for my personal feeling of beeing secure.

ircmaxell wrote: Why do I think it's external to Joomla? There are around 1 million downloads per month of 1.5... There are what, maybe 15 or 20 people in this thread? I'm not saying it isn't happening, but numbers point to it not being a core issue...
:eek:

Dear Anthony,
i really won´t be unpolite, so please keep in mind, that english is not my first language.

Your explanatory statement is totally [censored] and discriminatory, because you close your eye and ear from SECURITY problems of a minority group.

With this kind of argument, you could also say:
"to die from unclean water is not my problem and not a problem at all, because it affect only other peoples children within the third world"
Why can´t you com out of your personall comfort zone and take Beats findings and use al the peoples offers within this thread to take a look on a real existing problem?

At least YOU would be able to save some Joomla lifes and would be get a place in minor groups heart and prayer.
Sunny regards

Kurt Steiner aka Bernd
-------------------------------------------
http://www.movegreen.de
Business Club for renewable energy

junsve
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Wed Mar 15, 2006 10:30 am
Location: Sweden

Re: Login page a different user.

Post by junsve » Sun Jan 11, 2009 12:06 pm

Hi all.
I have been watching this thread for a couple of months because I am affected of the problem. So far I haven't posted anything since I had nothing to add to the description of the problem nor to a solution.

The fact that I have the problem is now the reason for me to make this post since it seems it is not taken seriously enough.

I hope for a solution soon. If it isn't a security issue then it is a matter of confidence... the opinion of the visitors to my site is that there is a security problem since they are greeted with someone elses login.

/Sven

mic
Joomla! Guru
Joomla! Guru
Posts: 692
Joined: Thu Aug 18, 2005 10:51 pm
Location: Austria
Contact:

Re: Login page a different user.

Post by mic » Sun Jan 11, 2009 1:17 pm

People, let me clarify a few things here
1. This is NOT a security issue. Sessions are not conflicting, nobody's "becoming another user", etc. And since J!'s firing, a person wouldn't see a page he wasn't authorized to see.
As can be seen, what is the definition of 'security'?
For some (like me) it is also a security issue if someone other can see my personal settings or my post.
Why do I think it's external to Joomla? There are around 1 million downloads per month of 1.5... There are what, maybe 15 or 20 people in this thread? I'm not saying it isn't happening, but numbers point to it not being a core issue...
Maybe there is that figure of downloads, but is says nothing about how many people are using Joomla!
And one reason could be - because of 'only 15 or 20 people' - the thread title.
If it would be some like 'Cache issue' or 'Somebody else can see my personal settings' maybe it become more postings?

Finally, i cannot remember myself that something like this happened in Joomla 1.0.x or earlier Mambo.
To say now ' ... this can be only some external ... is not Joomla ... ' is a quick answer, but
1. where/what is the solution?
2. what leeds to this issue/behaviour?
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Sun Jan 11, 2009 2:21 pm

mic wrote: For some (like me) it is also a security issue if someone other can see my personal settings or my post.
With the information I have now, that's not possible, hence why I say it's not a security issue. And to KurtSteiner: Security is implemented by sessions, not what a user can or can't see. So just because they can see the "post box" doesn't mean they can use it. Security on the server side would enforce it differently...
1. where/what is the solution?
Where's the information? I've put well over 100 hours into this issue. Between unit tests, and building loading engines, and the such. I have not even been able to replicate the issue. Nor have I been given access to any site that has this "problem". I have asked MANY times in this thread for information. Only one person (phil_roy) has provided it (Does that mean only one person wants this fixed?). I cannot do this by myself. Maybe what I said before will motivate some people to actually help... If I can get 15 or 20 responses from the Post Assistant (The one linked at the top of every page http://forum.joomla.org/viewtopic.php?f=428&t=272481), maybe we can correlate what's going on here.
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

mic
Joomla! Guru
Joomla! Guru
Posts: 692
Joined: Thu Aug 18, 2005 10:51 pm
Location: Austria
Contact:

Re: Login page a different user.

Post by mic » Sun Jan 11, 2009 2:41 pm

Well, i can only confirm what you are saying: ' ... not enough informations ..'.
If everyone who is posting here would provide exact informations about his environement, tracking this issue would be easier.
But only saying 'it does not working for me' is really not enough.

Maybe we could push this issue (and the people) forward in made it more public?

p.s.: i had this once at a Joomla template vendor 2 weeks ago (logged in with my account but could edit another profile and saving it!).
Informed them, but cannot provide any detail at the moment.
Will ask them again if the can give me more informations (maybe within a direct connection between them and you?).
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

cvoogt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 211
Joined: Wed Sep 27, 2006 1:10 am
Location: Sterling, VA, USA
Contact:

Re: Login page a different user.

Post by cvoogt » Sun Jan 11, 2009 4:12 pm

Yes, mic, exactly.

What I would really like to know is this:

Those of you experiencing this problem:
When you view your page and see "welcome, Notmyusername", are you able to edit that other person's profile? I seriously doubt it. The sessions that handle the logins are separate from the caching, so while you're seeing a module as it cached by a different user (and it should not have been cached), you should not be able to edit anything. For Community Builder Profiles: can anyone confirm whether or not the user profile is being cached the same way the login module is? I have not encountered that, and on my main site I've been testing, the CB login module caching problem just went away by itself. However, this has been such a problem for me that I want to make sure it is truly resolved. I don't want it coming back to haunt any Joomla users.

mic
Joomla! Guru
Joomla! Guru
Posts: 692
Joined: Thu Aug 18, 2005 10:51 pm
Location: Austria
Contact:

Re: Login page a different user.

Post by mic » Sun Jan 11, 2009 5:25 pm

To be a bit more specific, it was a site using XXX3pd ExtensionXXX and i could (!) edit another members profile and save it.
All under my login data.
Last edited by ircmaxell on Sun Jan 11, 2009 6:46 pm, edited 1 time in total.
Reason: Remove possible vulnerable extension name
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Sun Jan 11, 2009 6:45 pm

mic wrote:To be a bit more specific, it was a site using XXX3pd ExtensionXXX and i could (!) edit another members profile and save it.
All under my login data.
That could (and probably is) an issue with that 3pd extension. I'd suggest contacting the 3pd and reporting it to them (and not publicizing it)...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

cvoogt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 211
Joined: Wed Sep 27, 2006 1:10 am
Location: Sterling, VA, USA
Contact:

Re: Login page a different user.

Post by cvoogt » Sun Jan 11, 2009 7:24 pm

mic wrote:To be a bit more specific, it was a site using XXX3pd ExtensionXXX and i could (!) edit another members profile and save it.
All under my login data.
Mic, could you test using the regular Joomla login module and user menu and see if you're able to edit someone else's profile? It would be good to know if it's your 3rd party extension or Joomla - probably not Joomla, but good to exclude it as a possibility.

mic
Joomla! Guru
Joomla! Guru
Posts: 692
Joined: Thu Aug 18, 2005 10:51 pm
Location: Austria
Contact:

Re: Login page a different user.

Post by mic » Sun Jan 11, 2009 7:35 pm

To give an answer to both (ircmaxell & cvoogt): i dont know much more at the moment.
It happened on a website not owned by me.
I requested more infos and still waiting for.

It was a strange experience i had never before and reported it immidiately to the website owner (a known company).
And yes, my first suggestion is also that the 3rd party extension is the 'eval'.

When i know more either i will post it here or do that private via pm.
http://www.joomx.com - custom extensions and development
http://www.joomlasupportdesk.com - support, migration, training and consulting
Member of the German Joomla Translation Team

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Tue Jan 13, 2009 5:41 pm

So I guess I was right in my assumption that this is not an important issue? Otherwise there would be at least 10 posts here by now with details (the post assistant). How quick everyone is to jump on my back when I say something you may not agree with, but when help (and information) is asked for, nobody is found...

Short of any more information, from what I can see, this is not Joomla core...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

mattfaulds
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue May 27, 2008 10:12 am

Re: Login page a different user.

Post by mattfaulds » Tue Jan 13, 2009 6:27 pm

Things are getting a little heated aren't they? I also got torched by a developer in a CB forum after posting politely to raise awareness of this so I understand some reticence from others who are thinking about posting here. However, I'm just interested in getting this sorted, whatever the cause so here goes.

This dump is from a site with several extensions active including CB 1.2 RC4 but I will also check on another clean installation and post back. Make of it what you will...



Diagnostic Information
Joomla! Version: Joomla! 1.5.8 Production/Stable [ Wohnaiki ] 10-November-2008 23:00 GMT
configuration.php: Not Writable (Mode: 444 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.18-53.1.6.el5PAE ( i686) | Web Server: Apache | PHP Version: 5.2.6
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.67-community ( Localhost via UNIX socket )

Extended Information:
SEF: Enabled (with ReWrite) | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 32M | Max. Upload Size: 32M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.67 ( latin1 )

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Tue Jan 13, 2009 6:35 pm

mattfaulds wrote:Things are getting a little heated aren't they? I also got torched by a developer in a CB forum after posting politely to raise awareness of this so I understand some reticence from others who are thinking about posting here. However, I'm just interested in getting this sorted, whatever the cause so here goes.

This dump is from a site with several extensions active including CB 1.2 RC4 but I will also check on another clean installation and post back. Make of it what you will...



Diagnostic Information
Joomla! Version: Joomla! 1.5.8 Production/Stable [ Wohnaiki ] 10-November-2008 23:00 GMT
configuration.php: Not Writable (Mode: 444 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.18-53.1.6.el5PAE ( i686) | Web Server: Apache | PHP Version: 5.2.6
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.67-community ( Localhost via UNIX socket )

Extended Information:
SEF: Enabled (with ReWrite) | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 32M | Max. Upload Size: 32M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.67 ( latin1 )
2 more questions:

Legacy mode on or off (the plugin)

What are your cache settings:
Global configuration:
Plugin (system-cache):
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

baboon
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Feb 02, 2008 4:06 pm
Location: France
Contact:

Re: Login page a different user.

Post by baboon » Tue Jan 13, 2009 6:37 pm

Diagnostic Information
Joomla! Version: Joomla! 1.5.9 Production/Stable [ Vatani ] 9-January-2009 23:00 GMT
configuration.php: Not Writable (Mode: 444 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.18.5-imu-x86-136 ( i686) | Web Server: Apache ( http://..... ) | PHP Version: 5.2.6
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 10 seconds | File Uploads: Enabled
MySQL Version: 5.0.45-log ( mysql...... via TCP/IP )

Extended Information:
SEF: Enabled (with ReWrite) | FTP Layer: Enabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: apache2handler | MySQLi: Yes | Max. Memory: 48M | Max. Upload Size: 200M | Max. Post Size: 200M | Max. Input Time: 10 | Zend Version: 2.2.0
Disabled Functions: set_time_limit,passthru,exec,system,popen,shell_exec,proc_open
MySQL Client: 5.0.22 ( latin1 )

mattfaulds
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue May 27, 2008 10:12 am

Re: Login page a different user.

Post by mattfaulds » Tue Jan 13, 2009 7:20 pm

Legacy on. Only system cache needs to be on for issue to occur.
Last edited by mattfaulds on Wed Jan 14, 2009 8:58 am, edited 1 time in total.

cvoogt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 211
Joined: Wed Sep 27, 2006 1:10 am
Location: Sterling, VA, USA
Contact:

Re: Login page a different user.

Post by cvoogt » Tue Jan 13, 2009 7:35 pm

mattfaulds wrote:Legacy on. Only system cache needs to be on for error to occur.
Right. In my case I also had legacy on, with System Cache + Global Config cache on.
With Legacy + Global Config only, the problem disappeared.

I can't provide the technical specs on my setup right now because I am switching servers at the moment.

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Tue Jan 13, 2009 7:37 pm

mattfaulds wrote:Legacy on. Only system cache needs to be on for error to occur.
If legacy is off, does the problem still occur?
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

baboon
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Feb 02, 2008 4:06 pm
Location: France
Contact:

Re: Login page a different user.

Post by baboon » Tue Jan 13, 2009 8:46 pm

Legacy On
Global Configuration cache On
Plugin System Cache On

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Tue Jan 13, 2009 9:23 pm

Could someone experiencing this issue please try something for me... Change line 113 of /plugins/system/cache.php from

Code: Select all

		$this->_cache->store();
To

Code: Select all

$user =& JFactory::getUser();
if(!$user->get('aid')) {
$this->_cache->store();
}
Then clear the cache, and try again...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

mattfaulds
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue May 27, 2008 10:12 am

Re: Login page a different user.

Post by mattfaulds » Tue Jan 13, 2009 9:47 pm

I haven't made the adjustment yet because, annoyingly, the issue isn't occurring at the moment. This seems to be one of the problems in hunting it down. I think I need to be able to access the site from a different network/IP address. Would that make any sense?

For testing, I can't turn legacy off and keep the site running. I have got an unadulterated install to test on too so I'll try both when I can access from two places.
Last edited by mattfaulds on Wed Jan 14, 2009 8:52 am, edited 1 time in total.

baboon
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Feb 02, 2008 4:06 pm
Location: France
Contact:

Re: Login page a different user.

Post by baboon » Tue Jan 13, 2009 9:49 pm

i make this modification

now wait some feedback from my user...

i will let you know in this tread...

brianjd
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Mon Jan 29, 2007 2:11 am

Re: Login page a different user.

Post by brianjd » Wed Jan 14, 2009 8:00 am

Made the modification three hours ago. The issue has not recurred. Previously, the issue always showed up within an hour of enabling the page cache plugin.

If something changes, I'll be sure to post (with the details you requested), though I doubt it will break now. I am interested in what the problem ended up being, and what finally led you to this solution.

Thank you so much for continuing to track this issue, read this thread, and work on the problem. Your efforts and achievements are greatly appreciated.

kosmos
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Nov 19, 2008 8:50 pm

Re: Login page a different user.

Post by kosmos » Wed Jan 14, 2009 9:41 am

Hi Anthony,

Apologies for the delay in replying. Here is my diagnostic info



Diagnostic Information
Joomla! Version: Joomla! 1.5.7 Production/Stable [ Wovusani ] 9-September-2008 23:00 GMT
configuration.php: Not Writable (Mode: 755 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.9-67.0.7.ELsmp ( i686) | Web Server: Apache ( http://www.** ) | PHP Version: 5.2.5
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Disabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.51a-community-log ( 127.0.0.1 via TCP/IP )

Extended Information:
SEF: Disabled (with ReWrite) | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: apache2handler | MySQLi: Yes | Max. Memory: 32M | Max. Upload Size: 2M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.51a ( latin1 )


I have made the code change you suggested on our test site, with no adverse effects, but the issue is virtually impossible to replicate on test due to the lack of volume of users.

I'm cautious of making the change on our production site until there is a bit more feeback about the fix. What is the code change you proposed designed to do?

User avatar
musiczineguy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 198
Joined: Sat Nov 11, 2006 5:01 am
Location: Latham, NY

Re: Login page a different user.

Post by musiczineguy » Wed Jan 14, 2009 5:12 pm

I don't know if this helps, so feel free to ignore if it doesn't...

I had this happen once that I know of -- my site consists almost completely of guests coming, checking various music reviews, then leaving. The user accounts that are set up are for my writers, so I know what the behavior "should be" when a user is logged in, because it's a very limited group and they have elevated rights.

I logged in once, about three weeks ago, and noticed that one of the users was logged in -- then I noticed I was logged in as that user. I tried logging in from more than one browser and on a separate machine and, sure enough, I was logged in as that user on each. Since only registered users have access to the Virtuemart implementation on the site, I knew I was logged in at an elevated level because I could see the Virtuemart menu and I hadn't logged in myself.

So then, as a test, I logged into my administrator account and, sure enough, on a different browser, I was logged in as the Admin without actually logging in. This understandably freaked me out so I immediately logged back out on the front en, then went in and cleared all cache. The problem immediately went away.

Since I had been having other issues with 1.5.8 that were pointing to cache as being a problem, I disabled cache completely. The site is noticeably slower, but not ridiculously so, but I have not had the problem since.

All of the above is anecdotal, I realize, but given with respect to all the work going on to tie this problem down ... maybe it sheds some light. If not, disregard.
ircmaxell wrote:Could someone experiencing this issue please try something for me... Change line 113 of /plugins/system/cache.php from

Code: Select all

		$this->_cache->store();
To

Code: Select all

$user =& JFactory::getUser();
if(!$user->get('aid')) {
$this->_cache->store();
}
Then clear the cache, and try again...
IRCMaxell -- if you still need volunteers to try this patch, please say so and I'll give it a shot, even though I have only experienced this anomaly once.

brianjd
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Mon Jan 29, 2007 2:11 am

Re: Login page a different user.

Post by brianjd » Wed Jan 14, 2009 7:41 pm

Problem Description:
The caching is working correctly now... I am using YooLogin module and it is set to Remember logins. With the Caching plugin enabled, it no longer remembers logins. When the user is logged in, quits their browser, then re-opens the browser and navigates to the site, they are no longer logged in.

Additionally, when a user attempts to re-login they receive an Invalid Token error. Refreshing the page resolves the issue for that session. It occurs every time after closing and relaunching the browser.

Actions Taken To Resolve:
Disabling the Cache plugin immediately restored the previous behavior. When closing the browser and re-opening it, the user's login is remembered.

Diagnostic Information
Joomla! Version: Joomla! 1.5.9 Production/Stable [ Vatani ] 9-January-2009 23:00 GMT
configuration.php: Writable (Mode: 775 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.20.15-vs2.2.0.2rw_vs_3 ( i686) | Web Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 ( http://www.truebluekentucky.com ) | PHP Version: 5.2.0-8+etch13
PHP Requirements: register_globals: Enabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.67-log ( dbhost via TCP/IP )

Extended Information:
SEF: Enabled (without ReWrite) | FTP Layer: Enabled | htaccess: Not Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: apache2handler | MySQLi: Yes | Max. Memory: 164M | Max. Upload Size: 32M | Max. Post Size: 8M | Max. Input Time: 90 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.32 ( latin1 )

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: Login page a different user.

Post by ircmaxell » Wed Jan 14, 2009 7:48 pm

brianjd wrote:Problem Description:
The caching is working correctly now... I am using YooLogin module and it is set to Remember logins. With the Caching plugin enabled, it no longer remembers logins. When the user is logged in, quits their browser, then re-opens the browser and navigates to the site, they are no longer logged in.

Additionally, when a user attempts to re-login they receive an Invalid Token error. Refreshing the page resolves the issue for that session. It occurs every time after closing and relaunching the browser.

Actions Taken To Resolve:
Disabling the Cache plugin immediately restored the previous behavior. When closing the browser and re-opening it, the user's login is remembered.

So does that mean it's fixed with the above patch?
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs


Locked

Return to “Security in Joomla! 1.5”