Security problem: One user accidentally gets access to other people's accounts!

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
User avatar
Ivaylo
Registered User
Posts: 50
Joined: Sun Mar 25, 2007 6:52 am
Location: Bulgaria, Europe

Security problem: One user accidentally gets access to other people's accounts!

Post by Ivaylo » Tue Oct 04, 2016 7:08 am

Support Request Template
What version of phpBB are you using? phpBB 3.0.12
What is your board's URL? No answer given
Who do you host your board with? No answer given
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Update from a previous version of phpBB3
Is registration required to reproduce this issue? Yes
Do you have any MODs installed? No
Do you have any extensions installed? No
What version of phpBB3 did you update from? phpBB 3.0.11
What styles do you currently have installed? prosilver, subsilver2
What language(s) is your board currently using? No answer given
Which database type/version are you using? MySQL 5
What is your level of experience? New to PHP but not phpBB
What username can be used to view this issue? No answer given
What password can be used to view this issue? No answer given
What actions did you take (updating your board; installing a MOD, style or extension; etc.) prior to this problem becoming noticeable? I didn't took any actions in the past year - the problem appeared out of nowhere.
Please describe your problem. A moderator in my forum tried to login with his own username and password. The problem is that he got logged in as another member instead - with completely different username or password. While logged in as a wrong user, he had access to his PMs, saw the forum in his custom theme. It's a serious anomaly and security issue. The moderator doesn't have any special permissions, nor he has the password of the other user. It got even serious when the next they this happened again. While the same moderator was correctly logged in, it took a simple page refresh and he found himself logged in as another user - a different one from yesterday. Again he had access to his PMs and everything. Both cases happened from two different computers and IP addresses so it's not a connection issue. What could be causing this? This is not a hack or anything - you just get access to a random user's account out of nowhere. It could get really bad if another member accidentally get logged in as moderator or admin. Is this a known issue? Thank you for your help!
Generated by SRT Generator

User avatar
JimA
Community Team Leader
Community Team Leader
Posts: 7608
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: Security problem: One user accidentally gets access to other people's accounts!

Post by JimA » Tue Oct 04, 2016 8:38 am

That's indeed concerning. We have occasionally seen this issue here before. Do you (or you host) by any chance use Cloudfare, or another caching service? Aggressive caching could cause this.
Image Jim Mossing Holsteyn - Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.

User avatar
AmigoJack
Registered User
Posts: 5588
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Security problem: One user accidentally gets access to other people's accounts!

Post by AmigoJack » Tue Oct 04, 2016 1:59 pm

Or some load balancing, where the origins could be switched?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Slackervaara
Registered User
Posts: 195
Joined: Thu Feb 28, 2008 7:46 am

Re: Security problem: One user accidentally gets access to other people's accounts!

Post by Slackervaara » Tue Oct 04, 2016 5:49 pm

Have you checked the database with phpMyadmin, so the database is correct and not damaged. You can can controll the database and database tables with phpmyadmin.

User avatar
Ivaylo
Registered User
Posts: 50
Joined: Sun Mar 25, 2007 6:52 am
Location: Bulgaria, Europe

Re: Security problem: One user accidentally gets access to other people's accounts!

Post by Ivaylo » Wed Oct 05, 2016 12:49 pm

Thank you for your answers! After a day of testing, the problem turned out to be caused by my hosting provider, and more specifically, their firewall which was caching requests, containing cookies. This resulted in mixed login sessions. Just like JimA suggested. I think this problem is resolved and I hope it'll help someone in the future. I'll keep you posted if there are any news.

I've also checked the database and everything looks fine there - no visible damage.

Locked

Return to “[3.0.x] Support Forum”