Topic: Impersonation problem (Read 5850 times)

Nibbler · « **on:** November 24, 2003, 09:28:21 pm »

Hi,

I have a problem with people impersonating others in comments.
Somehow a user is able to post a comment as themselves, and 4 mins later post as somebody else, with the same ip and user_id they had before. The msg_author changes independently of the user_id.

Any suggestions as to how this is done and how to secure it ?

site is ic-gallery.com but you cant see what i mean without an admin login.

Joachim Müller · « **Reply #1 on:** November 24, 2003, 10:00:55 pm »

if you're running the standalone version of cpg (without bbs integration) there's nothing you can do to stop this. Technically, it would be possible to link the IP addresses and the usernames, but I wouldn't do that, since I've made the experience that there actually are people who share the same pc, so their IP address is the same. I also don't belive in IP banning (as I pointed out on other threads).
If this misbehaviour is a great problem for you, disable commenting for unregistered users.

GauGau

Nibbler · « **Reply #2 on:** November 24, 2003, 10:13:51 pm »

I have disabled commenting for unregistered users since the very start, thats why I am annoyed to still see impersonation.

Joachim Müller · « **Reply #3 on:** November 24, 2003, 10:19:05 pm »

hm, hard to imagine (unless you discovered a bug). Can you post a screenshot of if (when in admin mode)?

GauGau

Nibbler · « **Reply #4 on:** November 24, 2003, 10:32:55 pm »

Here is a screenshot of the comments table, look at the 2 most recent comments.

(https://forum.coppermine-gallery.net/proxy.php?request=http%3A%2F%2Fwww.ic-gallery.com%2Fstuff%2Fscreenshot.jpg&hash=8be7af04993e520a27f2aa3d692b0b10b7027ff5)

Joachim Müller · « **Reply #5 on:** November 24, 2003, 10:45:41 pm »

ah, I guess I know what the problem is: currently, users are allowed to change their own username, and the comment stuff doesn't take this into account. Afaik Tarique is working on a modification that won't let users change their username anymore.

GauGau

Oasis · « **Reply #6 on:** November 25, 2003, 01:57:27 am »

gaugau, only admins can change the usernames, so this shouldn't be the problem here. What is happening here is that users are posting comments, and then editing them. When they edit comments, they can change the msg_author field too. So the user didn't actually change his own username, but just the name displayed on the comment. Maybe we should change that field to input type="hidden" when users are logged in.

Joachim Müller · « **Reply #7 on:** November 25, 2003, 09:22:34 am »

yep, you're right. Please do so for the dev branch of the cvs and post a fix here for cpg1.2.0 users what to edit.

GauGau

Nibbler · « **Reply #8 on:** November 25, 2003, 05:09:40 pm »

I see it

I've just removed the msg_author update from the database query for now.

Thanks for all your help

News:

Author Topic: Impersonation problem (Read 5850 times)

Nibbler

Impersonation problem

Joachim Müller

Impersonation problem

Nibbler

Impersonation problem

Joachim Müller

Impersonation problem

Nibbler

Impersonation problem

Joachim Müller

Impersonation problem

Oasis

Impersonation problem

Joachim Müller

Impersonation problem

Nibbler

Impersonation problem