How to access a chatroom when not logged in (and not be announced either)
| Project: | Chat Room |
| Version: | 5.x-1.9 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | justinrandell |
| Status: | active |
Jump to:
You can log out of drupal v5 (don't know if this happens with v6) and still access chatrooms that require authentication. Furthermore, you are invisible while you watch other people chat. Here's how to do it:
1. Do a normal logon with your username and password.
2. Enter a chat room.
3. Click out of the chatroom into another area (like forums).
4. Log out of your account.
5. Click the browser's "Back" button until you are back in the chatroom and you'll see other people chatting.
It should be noted that at this point, unlike direct selection of the chat function, no security page demanding a user name and password is presented. Further, it is not announced that you have entered the chatroom, and you can even chat with others (you'll be assigned a "guest-###" name). If you do chat with others, it will then forward you to a login screen, but you can just back up into the chatroom again.
#1
not really interested in the 5.x branch, but as this looks like a security issue i'll try to reproduce. thanks for the report.