Impersonation problem Impersonation problem
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Impersonation problem

Started by Nibbler, November 24, 2003, 09:28:21 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Nibbler

Hi,

I have a problem with people impersonating others in comments.
Somehow a user is able to post a comment as themselves, and 4 mins later post as somebody else, with the same ip and user_id they had before. The msg_author changes independently of the user_id.

Any suggestions as to how this is done and how to secure it ?

site is ic-gallery.com but you cant see what i mean without an admin login.

Joachim Müller

if you're running the standalone version of cpg (without bbs integration) there's nothing you can do to stop this. Technically, it would be possible to link the IP addresses and the usernames, but I wouldn't do that, since I've made the experience that there actually are people who share the same pc, so their IP address is the same. I also don't belive in IP banning (as I pointed out on other threads).
If this misbehaviour is a great problem for you, disable commenting for unregistered users.

GauGau

Nibbler

I have  disabled commenting for unregistered users since the very start, thats why I am annoyed to still see impersonation.

Joachim Müller

hm, hard to imagine (unless you discovered a bug). Can you post a screenshot of if (when in admin mode)?

GauGau

Nibbler

Here is a screenshot of the comments table, look at the 2 most recent comments.

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.ic-gallery.com%2Fstuff%2Fscreenshot.jpg&hash=8be7af04993e520a27f2aa3d692b0b10b7027ff5)

Joachim Müller

ah, I guess I know what the problem is: currently, users are allowed to change their own username, and the comment stuff doesn't take this into account. Afaik Tarique is working on a modification that won't let users change their username anymore.

GauGau

Oasis

gaugau, only admins can change the usernames, so this shouldn't be the problem here. What is happening here is that users are posting comments, and then editing them. When they edit comments, they can change the msg_author field too. So the user didn't actually change his own username, but just the name displayed on the comment. Maybe we should change that field to input type="hidden" when users are logged in.
Pixnet Gallery: http://www.pixnet.net
iNSiGNiA Weblog: http://www.jayliu.org

Joachim Müller

yep, you're right. Please do so for the dev branch of the cvs and post a fix here for cpg1.2.0 users what to edit.

GauGau

Nibbler

I see it :)

I've just removed the msg_author update from the database query for now.

Thanks for all your help :D