Notice

The forum is in read only mode.

Support Forum

Welcome! Support Forums have been reactivated
Welcome the Technical Support section. Help us in assisting you by providing us with a concise and descriptive elaboration of your issues. Be specific and if possible, provide us with a step-by-step instruction in replicating your problem.

User security - registration process issue - user not logged out

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

We have new Joomla installation with Joomla 3.8.5 with third party component PayPlans (subscription component that is fully supporting Jomsocial ) and we use Jomsocial 4.5.
We are currently in the setup process.
We are hitting a very serious security issue.

We have registered one user and successfully completed the registration process and then logged in to JomSocial
We then logged out the account via navigation menu (logg off button) but tested same with the Hello Me module and used the logoff button.

We navigated back to community login and wanted to register a new user and got presented to select a subscription (PayPlans).
Instead of getting the registration form to be filled - we got the confirmation for the first user.

I did run another time a complete new registration process on my Browser Chrome and same test on Safari and registered a new user.
User has been activated after using the link sent to my email address. All fine so far. I logged in successfully. Then I logged off and got the JomSocial Community login screen.
Now I clicked again on the Community link and I was back in the internal area as logged in status.

I tried same thing again and got the Community login screen again - but every time I click on the Community link on the main menu I am back in internal area. This should not be the case as I logged off the page.
So something is seriously not ok here and it is definitely a security problem.

I have doubts that this is linked to PayPlans but it is more an issue with JomSocial as we use the official logoff button.

Can you please crosscheck and run another test on your side. The issue is not Browser related....I was able to always reproduce this issue at will 100% times on Chrome as well as on Safari!

I have a uploaded a zip version of the recorded screencast with the reproducible test case. It is in mp4 format.

6 years 1 month ago
Licenses:
JomSocial Active GURU Active Publisher Active AdAgency Active iSEO Active Socialize Active

Hi
I have not found the video in your last post. Can u add it again?
Also, I tested the login/Logout with the login details submitted by you and login is working fine and log out too.
Can u describe the issue again as the logout is working fine?
Also, try to disable pay plan and check what issue you had, as Payplan may override the Jomsocial to apply its plan.


Regards

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

Hi Pankaj,
thanks a lot for the fast reply.
It is interesting that you were not at all able to reproduce this issue while it happens to me every time independent which Browser I use.
You are right that the PayPlan component may override some code - but I would be wondering why the standard log-out buttons on JomSocial menu bar and the Hello-Me module should not work as
expected. It is just log-out process. There is to me no customization from other components
But why after logout process and clicking on standard JomSocial frontpage link I am being directed to my community page still in logged-in state ?

The recorded screencast is showing this fact ... but I just realized that I cannot upload an attachment with a size above 5,9 MB while my mp4 file in zipped format has around 7 MB.
How can I send it to you alternatively ?

Thanks & regards
Markus

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

Hello Pankaj,
I have not found any screencast attached to your last post.

Please note I have reported the same issue to Stackideas support owning PayPlans.

They tested this and stated that this seems to be Jomsocial's issue. They did run another test from their end and tried to register without through the payplans subscription and they are as well hitting the logout issue.
Therefore we have quite a number of reproducible test cases and they advised me to consult with JomSocial support what I did,

Most probably some cache/cookies in the server site - but this should be investigated by you as it is a serious issue really.

Have you really followed the exact same steps and scenario we did ?

Please watch drive.google.com/open?id=1bmu936oyCmWHlgxfmJ2mfoP3Llpw23rl

Thanks
Markus

6 years 1 month ago
Licenses:
JomSocial Active GURU Active Publisher Active AdAgency Active iSEO Active Socialize Active

Hi
can u give me login details of user John. The current login is working fine.
Here is attached file
drive.google.com/file/d/1lRx88WzNVvOj3SIBET1gJVaFLfnbZL1G/view

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

Hi Pankaj,
first of all it seems I am totally blind but I do not see any files attached in your posts !!!

I just tried another test and registered test account for 'John' another time and I was again able to reproduce the issue.
After clicking on log-out button I am re-directed to JomSocial Frontpage (login screen). When I now click on the main menu on Community again, I am redirected to social stream (logged in again) without
entering the user name and password.
What is very strange.....while I am still logged in....I checked in backend the logged-in users status and John is not listed at all ...but only I am listed as Super User logged in in backend.

This situation makes me really worrying.

Login credentials are:
John
Passcode: ABtg78!!

6 years 1 month ago
Licenses:
JomSocial Active GURU Active Publisher Active AdAgency Active iSEO Active Socialize Active

Hi
The issue is from Payplan.
I disabled it and checked the logout is working fine.
Payplan used to override on Jomsocial to create different plans and access. At time its disabled and you can see login working fine.
Also, removed the index.html file that shows an offline message in root as the Hellome logout button redirects to Homepage but due to HTML file, the command is not executed.
First, you can remove the index.html file and check if the same issue disables he play plan and report the issue to extension team for its compatibility with JS 4.5.

Regards




Regards

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

Hi Pankaj,
thanks for testing again.....you are right and I have done myself another test with disabled PayPlans plugins and all is working as expected with logout process on JomSocial.
As soon as I activate PayPlans, I have the issue that user session is still active and logout did not work. Interestingly the user is not longer visible in backend as logged user - but I can still navigate in the internal area on frontend after logout.
The issue with index.html is just to hide the webpage on Internet so that it is not visible to everybody. So it is online for testing purposes and only by using the direct link index.php. So this is not related to the logout issues since I did run the tests without index.html.
I have now challenged another time the PayPlans team and forced them to investigate this further.

I have now done another two tests to make sure there is no relation to Browser type and even Computer.
I have used Chrome and Firefox on my iMAC ...then I used different iMAC and used Safari - and I can always reproduce the issue.

I played around and at a point (see at the very end), the logout process is finally successful. But in between the session is still active and I can navigate everywhere while in backend the user is not visible anymore as a logged user
This is proof there is some issues - but with PayPlans then that most likely modified/customized some JS code.

Just for your information in case you are interested....then you can watch the new video with complete test cycle with front end and backend information.
Backend via Chrome, frontend via Firefox.

drive.google.com/open?id=15-pfjPkhyJYWW3w6Jwyv1ZbAifIzE_N_


The ball is now with PayPlans team

I keep you posted.

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

Hello Pankaj,

I am very sorry to say that you were not right and we (PayPlans team and myself) have re-tested the case.
We have disabled the PayPlans (plugins) and just used the core Jomsocial - and there are unfortunately same issues with log-out process.
I can reproduce the issue and the log-out is not working and when I click on Community link 2 times, I am back in the internal system.
Interestingly it is not always the same situation. I always start with a clean Browser session and cache cleared. I login and logout and click two or three times on the menu Community frontpage and get presented the login page. But when I do same thing second time ....login and then logout and then click on
menu Community frontpage I am back in the internal system as logged in !!!!

Please try with user 'John' and passcode ABtg78!!

I have now done another two tests to make sure there is no relation to Browser type and even Computer.

I have used Chrome and Firefox on my iMAC ...then I used different iMAC and used Safari - and on my iPad on iOS I used Safari and Firefox and I can always reproduce the issue !!!!!
I played around and at a point (see at the very end), the logout process is finally successful. But in between the session is still active and I can navigate everywhere while in backend the user is not visible anymore as a logged user
This is proof there is some issues !

Please watch the new video with complete test cycle with front end and backend information.
Backend via Chrome, frontend via Firefox.

drive.google.com/open?id=15-pfjPkhyJYWW3w6Jwyv1ZbAifIzE_N_

As stated before I have enabled the index.html file so that webpage is not online and visible to everybody. So you would need to use .index.php
But I always used the test case without index.html and it is there....

Why are the sessions not properly closed on JomSocial ? And system configuration for cache and session are standards as per Joomla documentation.

So there is something seriously wrong and is top critical blocker for the entire project !!!!

Attachments:
6 years 1 month ago
Licenses:
JomSocial Active GURU Active Publisher Active AdAgency Active iSEO Active Socialize Active

Hi
can u try a test now and let me know if it working.
I disabled the plugin now and the issue is not producing at my end,
drive.google.com/file/d/13lS7MVqaF_-3MboR_y9jOpYQtXrAtWlk/view
In first testing in the video you can see the plugin was enabled and after that, i disabled it start working and enable them again causing the issue.
Let me know if its same at your site.
There is such issue in Jomsocial for logout, I tested in a fresh installation of the package as well. If you found the issue after disabling play plan i will investigate it further on your site.



Regards

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

Hello Pankaj,
I am sorry to say that the issue is reproducible at will any time with ALL Payplans plugins and as well the component itself disabled.
Therefore the logout issue is definitely an issue with JomSocial and must be investigated.
Please watch another test case: drive.google.com/open?id=15-pfjPkhyJYWW3w6Jwyv1ZbAifIzE_N_

So there is something seriously wrong and is top critical blocker for the entire project !!!!

I really have provided many test cases now and it doesn't matter on which Browser, PC, Mac, iPad etc ....the issue is reproducible everytime.

6 years 1 month ago
Licenses:
JomSocial Active GURU Active Publisher Active AdAgency Active iSEO Active Socialize Active

Hi
Please share your skype, as i noticed in video, you haven't disabled the plugin and component.
I am not able to replicate it after disable paypal.
Kindly share the skype so i can check your screen directly


Regards

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

Hi Pankaj,
I am very sorry but I have provided you the old link on Google drive for the session I recorded day before.
This is now the correct link with the reproducible test case where you can see that all PayPlans code has been disabled before I did the test.

Please watch: drive.google.com/open?id=1pTeUHW7CbIuzZzAHNY-7g3LCTZR4FD5x

6 years 1 month ago
Licenses:
JomSocial Active iSEO Active Socialize Active

As mentioned in previous update the issue is reproducible while ALL PayPlans code has been disabled:
drive.google.com/open?id=1pTeUHW7CbIuzZzAHNY-7g3LCTZR4FD5x

I have now created a subdomain and installed a brand new Joomla installation 3.8.5 from scratch and used my template JA BIZ and tested the entire scenario.
The logout on standard Joomla is working as expected and no issues.

I have then installed only JomSocial and nothing more and enabled the Hello Me module. The menu for the Jomsocial frontpage menu has been autocreated during installation process.

I have then tested my reported case another time and was able to reproduce the logout issues every time.
I have recorded it... please watch: drive.google.com/open?id=1D5ZVodoAA8JoX3yJF39agXVMLZvdEk5h
This issue is reproducible on Firefox and Chrome on Mac where I tested it.....and same on Firefox and Safari on iOS on my iPAD.

This is now proving that this is a JomSocial issue with the logout process and that the user sessions are not closed somewhere

I am now kindly asking you to get this investigated further as I have provided you quite a number of test cases.
This is a very critical security issue in the system and a showstopper for the entire project.
I am curious that no one else reported this issue.

We are not in a position to plan any go-live.

I provide you access to this test environment.

Moderators: Piotr Garasiński
Powered by Kunena Forum

Join 180,000 websites creating Amazing communities

JomSocial is the most complete, easy-to-use addon that turns Joomla CMS into a
full -fledged, social networking site

TRY NOW BUY NOW