Yes that is correct. I believe this only happens once however, the first login to the forum.

Thanks for the reply.

Does that mean that the security flaw has just been 'accepted' and that there is no fix or planned fix?

With the increase of usage of shared computers, it would surprise me if I was the only one bothered by this.

That does not mean any of the above!

It was simply letting you know the way it currently works. I would suggest you post any suggestions you may have to fix it in the appropriate forum, the suggestions forum.

I agree with you 100%, and would like to see it done better as well.

Ok, thanks for your reply.

At the moment I don't have a fix for the problem. However, if I do I'll follow up. Since the bug is reported here, is it not appropriate to post the potential fix here?

Cheers,

Alan

I understand what you mean by that, but this is a known problem, and I would not consider it a bug necessarily. You can post it wherever you wish, but if you indeed have a good way around this, then it may be a good suggestion to bring up as well. :)

I have been thinking about this problem and think I have a way to fix it.

A fix should stop two things happening:

1. If you COPY the URL and then PASTE into a seperate window/machine then the URL should fail.

2. If you use the HISTORY or BACK buttons and reload the page after logout, the login should fail.

The solution I have is as follows:

1. The login routine should check to ensure the REFERER is from the same site. ie, If the preceding page was not from the same board then the login should fail. This will ensure you cannot COPY/PASTE the URL into another window.

2. A third parameter 'date=...' could be added to the login form. The login page could then check that date the URL is accessed is within 10 minutes (say) and fail if not.

I think that both of these need to be implemented for the problem to be fixed. Unfortunately I do not yet know how to implement them myself in PHP, or whether implementation would cause any other part of VB to fail. However if any kind star has the time and skills to implement then I'm sure many would appreciate.

Thanks for your feedback. If you feel this thread would be better served in another area then feel free to move it.

Cheers,

Alan

But what if someone simply changes the date paramater and copy+pastes it from default.php?

[edit]
woohoo senior member! ;)
[/edit]

If you alter the URL then you must enter it manually into the browser. In that case, the REFERER will not be set and so the login will fail.

The only way around this for a hacker would be to post a message on the board with the modified URL as a link, however moderators should remove that and ban such a poster.

That said, I've just noticed the following URL

[url]http://www.vbulletin.com/forum/newreply.php?action=newreply&threadid=3701&username=4wr&password=XXXX[/url]

which obviously has the same problem. Therefore, the fix for 'login' may need to be applied elsewhere also.
I clicked to 'reply' to this post without being logged in.

vBulliten's Admin password free for all!

Hi,

My host has a stats program that any of my users could access. One of the things it showed was some URLs sent by the browser...ie vBulliten's User name and password.

The discovered it before I did - and they abused each other all over the place - had a lot of fun :-)

The stats program is now password protected - but the damage was done. The host is CI Host and any vBulliten hosted there will have this same problem sooner or later - not a new problem either - it's been happeing for a few months I think.

Had my users looked hard enough they would have seen my Admin ID and password - then they could have had fun with the Admin control pannel !

I wonder if vBulliten.com's host has a stats program that can be accessed easily? Could hurry them up a bit I think?

It's an easy problem to fix - replace post with get - I think - not much of a code writer myself.

Time someone took this bug seriously? 3 of my friends have asked support for a fix - they're still waiting.

That is your fault for not placing a .htaccess on your stats directory. Do you think it ever safe to allow your web traffic to view all good/bad urls submitted to your site along with the referral links?

Kinda like saying the customer is wrong?

Blame Me for vBulliten's security problem - better than asking them to fix it - more fun anyway :-)

You can also blame CI Host for giveing us newbes free web stats - some one should ask them to remove their free stats - that would help vBullitten's support a lot.

Stats are not the only way to get browser sent URLs

Yes it was my fault, I should have known to password protect my stats - instead of asking vBulliten support to fix this huge Old security problem.

Go BEARS !!

I think this is the sollution: the redirect were the password is displayed in the URL is useless and a potential security risk, so a friend of mine came up with the following solution: (thanks Chaos)

Edit your forums index.php a bit. (backup it first please ;))
Find rule #29 --> if ($action=="login") {
Add '$bbuserid = ' to the rule directly under it (#30) so it should become:
$bbuserid = verifyusername($username,$password);
now go 3 rules down and find 'if($url!="" and .......'
Now delete ' $username=urlencode($username); '
Replace it with the following code block:
$bbpassword = substr(md5($password),0,strlen($password));
setcookie("bbuserid",$bbuserid,mktime(0,0,0,0,0,2020),$cookiepath);
setcookie("bbpassword",$bbpassword,mktime(0,0,0,0,0,2020),$cookiepath);
Now delete anything under this codeblock UNTIL you get to ' header("Location: $url"); ' (that is about five lines),
do NOT delete the ' header("Location: $url"); ' or anything under it.

This should prevent the forum from displaying tre password (incrypted or not) in the URL on login.
Mail me if you have questions and or problems, I'll forward them to Chaos.