When I login to a vbulletin forum, the URL for the index page (the page after login) shows the username and an encrypted password.
[url]http://www.vbulletin.com/forum/index.php?username=4wr&password=ABCD[/url]
This does not reveal the real password but it does raise a security issue.
If I copy the URL exactly to another machine then I can login as 4wr just by using the URL.
If I am in an internet cafe and I logout of the vBulletin forum, such that all cookies are cleared and the board does not remember me, and then I enter the URL (or pick it from history) then it logs me in as 4wr.
Ie, anyone who accidentely picks this URL from the history of pages visited or can otherwise get the URL, can log in as that user.
I believe this is a security issue.
Can someone please comment on whether my belief is correct or whether I've missed something crazy! Hopefully it's been covered somewhere....
Cheers,
Alan
[url]http://www.vbulletin.com/forum/index.php?username=4wr&password=ABCD[/url]
This does not reveal the real password but it does raise a security issue.
If I copy the URL exactly to another machine then I can login as 4wr just by using the URL.
If I am in an internet cafe and I logout of the vBulletin forum, such that all cookies are cleared and the board does not remember me, and then I enter the URL (or pick it from history) then it logs me in as 4wr.
Ie, anyone who accidentely picks this URL from the history of pages visited or can otherwise get the URL, can log in as that user.
I believe this is a security issue.
Can someone please comment on whether my belief is correct or whether I've missed something crazy! Hopefully it's been covered somewhere....
Cheers,
Alan
Comment