forum bug?

JayA · May 17, 2003, 1:49pm

I get a HTTP authorise dialogue box asking me to supply my username and password to highteq.net when viewing the forum, although my Renoise forum username/password doesn’t work (I dont’ know what it is, but only tried it to attempt to stop it popping up).

What’s this all about?

JayA

P.S.
Now that highteq.net has potentially got my password for renoise forum I will change it.
J

evention · May 17, 2003, 1:59pm

Hmmm very strange…

when it happens…
could you make a sreenschot?

twilek · May 17, 2003, 2:01pm

cylab has his avatar on a protected site… thats why the login-dialog appears in threads where he has posted… please tell him to remove his avatar and the problem will be solved

evention · May 17, 2003, 2:04pm

Yes, you’re right!

JayA · May 17, 2003, 6:45pm

Ahh… wondered what was going on… ta… now at least I know what it is.
Perhaps (dunno if possible) the avatar system could check for this as it could potentially be used to get passwords?
J

cylab · May 17, 2003, 7:04pm

I am sorry for this. Just temporarily put some sensitive data up yesterday to share it with a friend and did not think hard enough (read: not at all) about such consequences…

However I removed the acces-control and will remember this incident
(and no, I had no intention to sneek passwords)

JayA · May 17, 2003, 7:42pm

Don’t worry… I didn’t think you were trying to sneak passwords… just mentioning that it’s a potential security risk, someone could do that if they wanted.

This is a bit off-topic, but you know you can put secure content in a sub-directory, assuming you’re using apache, do this with the .htaccess and .htpasswd files (see apache docs).

J

cylab · May 18, 2003, 4:05pm

Thanks for your confidence The check you mentioned may be hard to implement. The only way would be, to access all refered content through a php that checks everytime this content is refered. Then you can apply a redirect and the real content is loaded. I am sure, if someone really wants to, he can differ between the check-request and the redirect afterward, so giving the check-routine what it wants and use his trojan horse when the redirect is applied… It might be possible to supress this, but it might use some thinking…

I first put the .htaccess in the root and just did not think about some files (like my avatar) are referred from the outside. I now moved the sensitive data along with the .htaccess to a subdirectory. But anyway, thanks for the hint!