I didn't really want to post this publicly but I have no clue at all who the hell to contact about this. I've been nosing around in my server logs to see what the majority browsers are that hit my site and I came across a rather interesting - and worrying - occurrence. People following the link I posted to Poser forum are leaving their session id data on my logs. Now, I know this has been an ongoing irritant for users here at Renderosity, where the session id is displayed in the browser address bar resulting in newbies posting their ID into the forums. But I wasn't aware that this information was transferred via forum links to other sites. This means that it's possible, via a forum link, to farm login information from Renderosity users and, in the wrong hands, pretend to be one of them. What implications this has for the store and other areas I don't know, but it sure as heck bothers the hell out of me. At least 11 people who followed the link I posted in Poser Forum, left this data. I haven't finished browsing the log so I don't know how many more have suffered from this. http://www.renderosity.com/messages.ez?Form.ShowMessage=(removed)&Form.sess_id=(removed)&Form.sess_key=(removed) The data in my logs contains web address to rosity. message data (number link ID) Form Session ID Form Session Key. My server doesn't use a particularly aggressive log system as I only need to track site usage, but I know a couple other sites that do suck down every bit of data about visitors. I'll delete the log as soon as I've finished nosing at it as I don't want to leave that sort of information on a shared server. I do however, feel that this is something Renderosity needs to look into. One last thing, this only seems to happen with Netscape and MSIE. So far no Opera user has left this info. I don't know if this is a security setting in those browsers, lack of an efficient firewall or what, but it is worrying.

"What implications this has for the store and other areas I don't know, but it sure as heck bothers the hell out of me." holy wow- It means that they can log on as you and download all your purcheses. It means they can log on as you and post messages in the forums under your name. It means they can log on as you and change your membership information AND then change your marketplace payment info.

Thats only a start of what they could do: They can delete your gallery & posts. They can upload to your gallery. They can modify your homepage. They can post as you. They would have access to all the things that individual has access to. I would hate to think what all could happen if this information was obtained by someone with malicious intent.

Thank you for sharing the information. We are looking into this. For members that accept cookies, this is not an issue. The session id data is only left by members that do not have their cookies enabled. Since the session ids expire in a short period of time, this generally is not a problem. One way to correct this is for members to accept cookies. The other way to correct this is for us to require cookies for all members when they log-on. We are evaluating that option at this time. Best regards, LillianH Renderosity Marketing & Promotions

questor I for one thank you for posting this publicly. Now I know to change my passwords and not follow anymore links ever. LOL

Sorry Lillian I have to disagree with you. I regularly see the session data in my address bar and I do have cookies enabled. I've also had links sent to my from members here with their session data in the address, this includes long term members, we all get caught with it once in a while. Looking at my address bar now, the session data is in the address and cookies were not refused, rejected or blocked. So no, not going to accept that explanation. How short a time is it before the session data expires? How long can a hostile member use that session data before it expires. I personally at one point last year spent several hours logged into this site without a repeat request for cookies. Provided the person using that session keeps it active by doing things the site assumes that the member is active. If the session times out and you paste the session data back into the browser does the software recognise an out of date session or does it just say "ok, have fun"? I'm not trying to be argumentative and quite frankly what I've found doesn't affect me in the slightest, I have no account or gallery on this site so nothing to lose, but a great many members do. We are looking into this. I hope so I really do. Because the implications for security are erm... unpleasant. ++Sunspot3D++ If you find a link in the forum, right click, copy address and paste that into a NEW browser window - not one logged into this site. My own experiments show that this method protects the session data from being passed to any servers you visit.

I myself have clicked on a link that contained a session id Lillian that had been sent to me in an IM here on rosity that I didn't get too for two weeks,when I clicked the link I found myself logged in to view the image they wanted me to see...but the screen color settings were different~it was only then that I noticed I was logged in as her.I have also had a link sent to me by email which I clicked and found myself logged in here as someone else.Only the other day I posted a link in the forums that someone pm'd me about to warn me that I was giving out access to all my personal info because I was half asleep and didn't remove the form session id. I have seen this complained about time and again,friends have sent me links and I them where we were logged in as one another on a regular basis. As for accepting cookies...my browser is always set to accept cookies...in fact I have to clear my cookies cache regularly because I get so many lol.So I have to agree,it has nothing to do with accepting cookies...either that or there's something else going on that your programmers have yet to discover. As for the programmers not making mistakes,I hope rosity being down earlier was something they fixed and didn't cause...I for one highly respect computer programmers,they have a job I wouldn't want regardless of the pay because I lack the patience to build or analyze every dash in code to find one infinitely small problem. But I must say Lillian...in this you are incorrect,programmers hate to admit when they're wrong and you aren't being given all the facts to determine for yourself that the information supplied to you by them is incorrect.If not for experiencing it myself I wouldn't even bother to comment...but a link posted two weeks earlier should not have logged me in as my friend by what you're saying and if my cookies are enabled it won't happen~but I assure you it does.

Excuse me Armorbeast, please email or IM me the link in question. I would like to see that for myself. I have reviewed all of my correspondence with you and could find no record of such a link being sent to you. Thanks, LillianH Renderosity Marketing & Promotions

"I myself have clicked on a link that contained a session id Lillian that had been sent to me in an IM here on rosity..."

"Excuse me Armorbeast, please email or IM me the link in question. I would like to see that for myself."

I think there was a lack of punctuation and Armorbeast didn't intend to say the link was from LillianH, but another member.

Someone saw this and let me know what was going on...even though the incorrect punctuation does explain itself if you read the full comment,I will try to correct the misunderstanding.I was sent a link by rosity IM from a friend who wanted me to check their image.However,I missed the IM and did not realise the mistake for two weeks...I clicked the link and found myself logged as her on her page.I see no confusion here,even for the bad punctuation,the comment does clarify itself when read and you of all people know you don't send me links to view your images...nor would I think that since you know me you would even consider that I would tell such a lie about you. But even as such,you did not address the issue as you said clearly that to avoid this cookies should be enabled...my cookies are always enabled as are I believe everyone that gets logged in automatically when they arrive on rosity.So obviously that is not the answer.You mention that the session id's expire in a short period of time but two weeks is not short. I am not on the attack Lillian and I like you well enough that I wouldn't jump on you,but this is a serious matter not only to us...but to merchants on rosity who could be losing hundreds or even thousands of dollars each from this.If I log in as someone else I can access their downloads...you cannot even legally do anything if it turns out that the members use the same template colors and say they didn't know the download they found in their Gifts Recieved box wasn't theirs.But having sent my session id # out to friends by accident time and again because its not second nature to correct a screwed up url...and having also recieved other members session id #'s,I know how serious this problem is. But rosity isn't the only one...in fact DAZ is worse.Chrislenn sent me a link to a product she wanted me to look at and I found myself listed as her,I not only found I had access to her wishlist but all her personal info also popped up...I told her and got out.About a month later I logged in at DAZ and started having problems accessing my account~I looked and noticed lo and behold I was logged in as Chris again.I did not go to DAZ via a link sent by anyone,I went in through the link on their newsletter and was auto logged in as Chris.I have yet to have that happen here or hear of it from others,but that is a major security issue...so I am not kicking rosity here~its not a problem unique to this site. If I sounded harsh its because the info you gave people to enable cookies and that the session links expire quickly isn't correct...I doubt you knew this or figured it out on your own so I assumed the programmers told you and like I said,programmers are well known to not want to admit they're wrong. Sorry for the miscommunication...I do consider you a friend Lillian but I wasn't talking about you and if you reflect on it you'll realise this.Nor am I bashing rosity...just this is a serious matter and has been since even before I joined and it hasn't been fixed.

Oh my. No,no, no....I did not for a minute think you were telling lies Armorbeast, but rather that I had overlooked a link that I had sent out and wanted to get a copy of it. Sorry for the confusion. I will do my best to clarify the thing about the cookies. While you may have your cookies enabled, it appears to me that the person that sent you the link, did not. It also appears that the person that sent you the link, never closed that session. If they left that session open (which some people do), and don't enable cookies, and send people links with their session ids and keys, then yes, this is possible. That is why we are looking at the option of requiring cookies be enabled when logging into Renderosity. This would indeed end this problem. (Not according to the programmers, but according to the latest industry research on the matter.) But, the down-side is it would create another uproar that we changed something and there will be a few people that don't want cookies. We are weighing the options and appreciate the insight and information being shared with us. Best wishes, LillianH

Lillian, that's fair enough regarding sending people links. But nobody sent me one. I posted a link into the Poser forum. Some people who clicked that link to download the files I was offering left that information in my logs. It is my understanding that you cannot post in the forums unless you are logged in, to log in you must accept cookies. The people who responded to the link to freestuff I posted had to have been logged in to reply, six of these left session id and key info in my server logs just by clicking the link I posted. Others I presume were lurkers who clicked by visiting the thread without posting to it. That link took them directly to a freestuff page on my server. I don't understand how that can happen by your explanation of how it works. By rights that info should not have shown up in my logs. The users didn't visit my site and leave that information there in a link, the server log got it - presumably from their browser. Perhaps you're missing what I mean by server log. This is an activity logging facility that tells me what browser visited and what sections of the site were visited. That's all the information it gathers. Browser type/name/version and pages visited. That's just plain weird, but if my server running a browser track log managed to suck that info in without even trying, what about those sites who deliberately harvest user info? I don't believe that forcing people to enable cookies on this site will cure what I've seen. It may, perhaps, possibly cure the IM/Forum link problem that many have experienced, but that won't stop the information being transmitted to other servers. Please understand. Nobody sent me a link, I did not send anyone a link. A remote site server picked the data up by people clicking an externally referenced link. For instance. I post a link here to my site. People click that link to see what's at the end. By simply clicking that link and visiting my site some of them are leaving the session ID and Key recorded in my site usage log. ***But, the down-side is it would create another uproar that we changed something *** That unfortunately is always a risk, especially on a site like this where changes don't always make immediate sense or appear particularly useful. But what I'm trying to explain here I believe needs to be investigated fully and changed, regardless of the potential outcry because it's a security hole of fairly awesome proportions. I've not tried to use the information I found as I'm not that way inclined but if being logged in as somebody allows access to their accounts, merchant data, merchant forum etc, the implications are staggering.

Hi Questor, You mentioned that "to log in you must accept cookies", but that's not the case. There are those that do not accept cookies, and that is why this is an issue. Thank you for the clarification, I am familiar with server logs. I understand what you are saying. I really appreciate your support and understanding as we thoroughly investigate this and come to a resolution. Best Regards, LillianH Renderosity Marketing & Promotions

There are major issues that need addressing here on rositys part not only regarding the session id issue,but how problems are addressed in general when members bring them to your attention.

The issue with the session id can be resolved easily with redundent features.When I access rosity I should not be auto logged into my account unless I access via the front page itself.My uncle is a programmer and was just here,I asked him to look and he said a child could figure out that when a link is sent or an ebot answered that this should only give a member access to the page...they should then be required to enter their password to comment then would stay auto logged in until they accessed by clicking another link.He said a lot of sites have this feature built in to protect both themselves and their members.

He summed it up Lillian by saying that cookies are by design created to save information and to auto log you into a site like rosity...requiring that everyone use cookies in no way resolves the issue because its the cookie that auto logs you in and its the info sent by the cookie in a session id link that tells your server who is logging in~not the cookies stored on a members computer who clicks the link.He describes it best as a conflict...sometimes the cookie on your computer will override the info in the link,sometimes it won't.

He also went through the threads and noticed something about Clint...Clint keeps saying how he accesses members accounts and that there is no problem.Being a programmer my uncle knows that its not that simple,people access the net using different browsers and even the connections themselves can be affected by things such as the isp or even speed.If you on your end see the site is up and running,then you will see every page exactly the same because your settings are optimised for your site...he also noticed bonbonish's comment about the sql errors she's experiencing and said that being that rosity just experienced a crash,this should be a dead giveaway that you have not resolved all the issues in getting rosity back on its feet.He described Clints comment as a brushoff and as being irresponsible because it says to members that their concerns do not matter...and considering that virtually every remark originates from viewing the pages from within the site itself,I have to agree somewhat.

The reason I expressed concern Lillian is that rositys such a great site,sometimes you'll have issues where the member is at fault and sometimes its the people on the site itself...of all the people there I consider you my fave so I hope you do not feel that any of this is directed at you,you are simply addressing this based on the info you have on hand.But what I think is being said here by me and others is that the info you have is incorrect...the session id issue leaves every member vulnerable and may be causing your merchants to lose untold sales,I think its worthy of your time to investigate the matter from all pov's and find a good solution to resolve it that members can live with:)

Attached Link: http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc2109.html

"The server tried to set an illegal cookie. the combination of the server's hostname and the domain attribute for this cookie is not acceptable, and it has therefore been rejected.

You may want to ask the webmaster to set legal cookies

Address: http://www.runtimedna.com

Sess_key=1221221221 domain=.com; path=/
"

Sessionkey numbers changed by me.

The W3C doesn't work on or with cookies, but the IETF does, and IIRC, it's RFC2109 you'll want if you want to look up the -original- cookie specification.

This was an issue as far back as two years - I remember sending a friend a link and he had a field day with changing my settings to a major eyesore pink.

~S (edit - text fell out because I used a <

Message edited on: 08/04/2004 18:33

This was an issue as far back as two years What? There's a code problem here and no one's fixed it? Unheard of! bonni

HEH! Good thing I only use OPERA, and FIREFOX+ I NEVER enable Java-script, and ALWAYS use a PROXY! THANX to LILIAN H, and Quester for the valuable info!!