Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
Tres Posted October 28, 2016 Posted October 28, 2016 I'm using IPS Connect, connecting between my existing php website and lPS Platform, and while implementing the Cross Login to accept the cross login call, I think I found a little security problem. So, if what I know is right(please tell me if I'm wrong), you will set login session values when you receive a cross login request. But there's a chance that the user might catch the URL for cross logins while they redirect, which can be abused very easily. Like, if you change the 'id' parameter, the user will be able to login with other ids right away. I think there's a big chance I might have understood the whole concept of IPS Connect wrongly, so please let me know which part is wrong.
MADMAN32395 Posted October 28, 2016 Posted October 28, 2016 Have you been able to capture this URL yourself and make a full proof of concept? I don't think it works that way.
Tres Posted October 28, 2016 Author Posted October 28, 2016 Yes I did. I pushed esc key by mistake during the redirects and could see the whole URL! When internet connection is bad/server is unstable, you may stay longer than you thought in the blank page during redirect. It's not an HTTP request, but a chain of redirects when it's cross login.
MADMAN32395 Posted October 28, 2016 Posted October 28, 2016 Is this based off of ips setup notes or incorrect setup on site admin side?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.