search

chuckfw / owaspbwa

OWASP Broken Web Applications Project
294 stars 103 forks source link

Cookies not correclty set for phpBB #12

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. open phpBB
2. log in

What is the expected output? What do you see instead?
Expected to be logged in, but instead redirected to login page.

What version of the product are you using? On what operating system?
0.92rc2

Please provide any additional information below.
Cookie is set to IP address 192.168.23.131. When the VM has a different IP, the 
cookie is not valid.

A solution might be to include a cookie-set script that one has to run once 
when the VM is started. Example: 
http://www.phpbb.com/community/viewtopic.php?t=228741

Original issue reported on code.google.com by dvst...@gmail.com on 21 Dec 2010 at 2:19

GoogleCodeExporter commented 8 years ago 
Forget the solution; that is also not working. Cannot figure out what the 
problem is, but none of the users is able to login. I get a new session id in 
each request and keep getting redirected to the login page.

Original comment by dvst...@gmail.com on 21 Dec 2010 at 5:07

GoogleCodeExporter commented 8 years ago 
Thanks for reporting this.  I believe that IP address is the one that the VM 
gets for me.  Maybe phpBB has fixed on that IP rather than grabing the current 
one when setting the cookies.  I'll look into it.

Original comment by chuck.f....@gmail.com on 3 Jan 2011 at 2:32

GoogleCodeExporter commented 8 years ago 
Well, I tried modifying that in the configuration table, but for some reason
I was unable to get it working.

If you need me testing something on my side let me know.

Dave

Original comment by dvst...@gmail.com on 3 Jan 2011 at 7:47

GoogleCodeExporter commented 8 years ago 
I messed around with this for a while trying to fix it for the 0.93rc1 release, 
but I couldn't get it to work.  I did go back and confirm that this did work in 
0.91rc1 and I tried copying the exact directories, files, and permissions from 
that into the newer VM and it still failed.  My current theory is that the 
update of the OS to Ubuntu 10.04 for versions 0.92 broke something.  
Fortunately, we are not on a LTS version of the OS, so hopefully we won't have 
that problem anywhere else for a while.

For 0.93rc1, this is unresolved, but I did mark in the index.html file that the 
application is currently broken.

Chuck

Original comment by chuck.f....@gmail.com on 17 Jan 2011 at 4:25

GoogleCodeExporter commented 8 years ago 
I independently found the problem to be the cookie.  I attempted the DB config 
change suggested here: 
http://www.phpbb.com/kb/article/configuring-domain%2Bscript-path%2Bcookie-settin
gs/

Still didn't solve anything though... Will try a reinstall of phpbb2 and see if 
that fixes the problem

Original comment by MichaelTCyr@gmail.com on 22 Apr 2011 at 12:15

GoogleCodeExporter commented 8 years ago 
I did some work on this for the 1.0 release.  I was able to adjust some 
settings to get cookies to set properly (using the owaspbwa hostname), but 
login still does not work (nor does viewing posts). 

Leaving database in place and software running at /phpBB2/, but it is not 
listed on the landing page.  May never get fixed.

Original comment by chuck.f....@gmail.com on 14 Jul 2012 at 3:26

GoogleCodeExporter commented 8 years ago

Original comment by chuck.f....@gmail.com on 19 Jun 2015 at 2:06