UBB.threads PHP Forum Software Community Forums UBB.threads 6 Version 6 Support Restricted pages cached & given to wrong people

I have noticed a potential security issue while setting up and testing my new UBB.Threads forum:

Some pages have restricted access (require login etc), but they are cached just like any other page. If a different user who shouldn't be able to see that page then requests it, the web-cache serves them that page without authentication.

This is especially a problem with common pages (like the front-page, where it can say "you are logged in as: someone-else")

Is there a way to stop this behaviour? I was thinking of adding a spurious timestamp GET variable to all links so that they will not be called from the cache at a later date, but clearly this is not ideal.

Thanks in advance,

Rich

Hi Rich,

If I follow your question correctly, you're concerned about multiple users on the same computer?

The best solution for this is to use sessions, instead of the traditional cookie. Sessions requires that the user logs in every time a new browser is opened and the board is visited - but then the user remains logged in for the remainder of the time the browser is open. When the browser is closed, the user is logged out... Would that work? Let us know if that sounds like a good solution, and we can help you get that set up...

If I've misunderstood your question - let me know, and I'll try again. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

Kate Sloan
Customer Care/Account Management
Infopop Corporation
Moderator: Community Management Forum

<img src="http://kate.infopop.cc/pictures/Powered_by_caffeine.gif" alt=" - " />

Hi Kate,

That's not quite what I was referring to, but I imagine would have many of the same problems. I was thinking of network level caching. Let me give you an example:

John logs on to his PC and opens his browser and accesses the forum. He has requested the page "xxx/ubbthreads.php?Cat=" and our server generates a generic front page saying "you are not logged in".

He logs in and is redirected to another page (lets say his home page is the 'my home' one, "xxx/login.php"). If he then clicks on "main index" his browser requests "xxx/ubbthreads.php?Cat=". However this request is intercepted by either his local cache or the network cache (if he is using a shared internet connection over a LAN with a central cache) and he is passed the previous version of the page.

If he knows what has happened, he might refresh the pag, overriding the cache and asking our servers to re-generate the page, at which point he gets a copy of the page saying "welcome, John".

Later, Sarah logs in at a seperate PC on the same network and goes to the front page "xxx/ubbthreads.php?Cat=". She then sees John's front page because the cache serves the latest local copy it has, instead of requesting a new one is generated based on Sarah's cookies (or sessions etc).

Hope this clarifies thibgs,

Rich

You can add meta-tags to your threads installation to try to prevent caching.

Simply insert them to the generic header. But basically, it's a caching problem of your network and not a threads security issue, i suppose.

It's always dangerous to cache dynamic pages for a hole network with several users.

Yeah, that's not really good practice for the web host/ISP and really won't be compatible with any type of dynamic content.

Infopop's Browser Problem documentation talks about ISPs that may run a page cache and in those cases most likely you'll need to switch providers. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Josh
www.joshuapettit.com
ThreadsDev.com Administrator | InfoPop Community Moderator
Register to see my How To/Site Help Library Forum at ThreadsDev.com.
My threads 'tweaking' abilities are for hire for upgrades, tweaks and modifications.

Thanks for your comments, guys,

I could have a go at my network admin and let him know that overzealous caching is a security issue and cripples dynamically generated sites, but I don't have control over the caching policies of my visitors' networks.

I could add 'don't cache' headers to my pages (oughtn't this be standard for the package?) but many caches ignore them.

It looks like I will have to add a timestamp to the end of every link so that it will not match anything in the cache, for example "xxx/viewthreaded?number=4" becomes "xxx/viewthreaded?number=4&t=102353436".

If anyone has any better suggestions I would love to hear them.

Rich

Turn off the browser cache.

--
UBBDesign.com: UBB â„¢ customizer, webdesigner and custom graphics creator.
Creator of the JCTemplates used in the ubb.classic â„¢ software. Addons & Graphics
Installation services and custom add-on creation available. Contact me

</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Originally posted by J.C.:
Turn off the browser cache.
</font><hr /></blockquote><font size="" face="">1) That wouldn't affect the network cache

2) I can't tell every visitor to my site to turn off their browser caches

3) You can't have a voluntary settings change as the solution to a security issue

This is not just a convenience thing: there are settings in UBB threads to restrict access to content by login. If other people can get access through a LAN web cache to these pages then it is a security issue.

If anyone is interested, I have now implemented the brute-force solution to this problem: every link on the site now has a timestamp representing when the page was generated, thus no link will match any old versions held in any cache (caches in my control or not).

This wasnt too hard to achieve thanks to the good coding style of the UBB team:

(The following may only apply to version 6.3)

I changed the function "HTML->send_header" in "ubbt.inc.php" to add an *alphabetic* (not numeric) timestamp to the $Cat variable. (I did this just after the preg_replace which strips out non-numeric characters so that the timestamp is fresh)

I changed each instance where the $Cat variable is actually used (about 9) so that a temporary copy is made with the alphabetic part stripped off - this is already done for some reason, I just made sure it doesnt overwrite $Cat.

so

<pre> $Cat = preg_replace("/[^\d,]/","",$Cat);
if ($Cat) { ... </pre>

becomes

<pre> $Cat2 = preg_replace("/[^\d,]/","",$Cat);
if ($Cat2) { ... </pre>

I also had to change the "get_input" function in "ubbt.inc.php" to return

<pre>get_input("Cat",$type) . "&ts=" . get_input("ts","both"); </pre>

when asked for the value of "Cat". (My timestamp is called "ts") This makes the timestamp pass through pages wich are redirections (such as expanding / collapsing categories).

I hope this helps anyone brave enough to want to fix this problem themselves. Perhaps the UBB team might consider addressing this issue in the next release, as advising users to turn off their browser cache is not really a solution.

Rich

[This message was edited by ricbrad on July 21, 2003 at 02:56 AM.]

[This message was edited by ricbrad on July 21, 2003 at 02:57 AM.]

Thanks for the update! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Perhaps others will find it a solution to their problems as well. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Josh
www.joshuapettit.com
ThreadsDev.com Administrator | InfoPop Community Moderator
Register to see my How To/Site Help Library Forum at ThreadsDev.com.
My threads 'tweaking' abilities are for hire for upgrades, tweaks and modifications.