Thread: Search

Yeah, it seems everyone is getting this. Ramu reported it to me, I've reported it to Icedawg. Bet he has a full inbox for Christmas this morning

Works fine for me !

Originally posted by Haz

(censored session ID for security purposes.... that was the right thing to do, wasn't it?)

No, just silly. there is nothing you can gain from them (or phpbb would of patched an gaping hole like that, dontchya agree?)

all you need is a user's session ID and their IP address to utilize their account (you'd have to spoof the IP, but apparently that's not hard). of course, their session would have to be online at the time.

Yeah, but you don't have their IP. And if you spoof it, it's going to go to that IP (the page served up), and not your IP, so what good is that anyway. If it was such a big fat hole, phpBB defintely would of done something about it by now. You can't discern what session ids are real and what aren't...so blah.

Originally posted by Kaniaz
Yeah, but you don't have their IP. And if you spoof it, it's going to go to that IP (the page served up), and not your IP, so what good is that anyway. If it was such a big fat hole, phpBB defintely would of done something about it by now. You can't discern what session ids are real and what aren't...so blah.

it's not a 'fat hole,' it's just the way sessions are identified (via IP and session ID); it's not usu. a problem because again you'd need the user's IP and their matching session ID, and his or her session would have to be recorded as still active in the session's table. anyway, if you still don't believe me, just search around phpBB's forum; i've read about it there and this really is possible, although difficult due to the information required.

I know that. Like I just said, you need the IP and the session id, and when that list comes up with 3285402385490 ids, and you have precisely zero ips to work with (without being a mod or something), it's not a "fat hole." Even if you had the ip, you'd have to go through every single sid there, and with so many accesses like that, you'd cotton on fairly quickly...And since it would take so long to do, the sid would probably become inactive by the time you got there, and so in the long run you are royally screwed. So blocking them out of an picture is really unnecessary (unless a hacker just has a *really* lucky day ). I know it's possible, but I suppose the chances of anybody actually pulling it off are pretty much nil. So you could gain a bunch of old sids from something like that, but at the end of the day the usefulness of having a load of old ones isn't much. Although it just occured to me of another way you could find out active ones, but now I'm sidetracking.

So, in conclusion, block them if you want but: A) People will just get the same page up to see them for themselves and B) They're royally useless.

... I think we've confused lots of people now.