Hey,
I think there might be a problem with the facebook module as it took control of my site from me and locked me out.
This is a copy of the letter I sent to the security issue people which explains what the problem is:
"Fb is a module which allows to create a drupal content type to embed functionality in facebook, taken from drupal. I had taken an iframe of my site and embedded it in the facebook page. When someone comes from facebook to see my page, they are given a temporary user name and given the privlidges of an "authenticaed user." However, once a user had viewed my page through facebook, suddenly I was locked out of my site. It gave me the functionality of the site, but I couldn't log into any administration menus. Couldn't log out, couldn't log in. My admin menu was met with "access denied" errors. Even after flushing the cache and authenticated sessions from my browser. Same problem with different browsers.
I thought how could this be? But I had the "who's online" option on, with 2fb users. I figured the module had overridden something to give it control. So I removed the module from the ftp interface, and moved it to a different file, and edited my setting.php file to stop the refrence to it (required for the module). I thereafter tried to regain control to no avail. I had to go to phpmyadmin from my hosting interface, and delete the temp facebook user from my database. Once I had done this, and it was logged out, I was able to regain control of my site. I can't see how this could be anything but a security issue as anything taking control of the site and locking a site admin out is not good news."
I figured i'd post it here so you could get a heads up about it and see what the problem could be, its a really cool module I hope you can get it fixed soon.
Thanks.
Comments
Comment #1
rc2020 commentedAny idea what might be causing this problem? I would love to enable the fbook module again but I can't if it will lock me out of my system...
Comment #2
Dave Cohen commentedCan you give some details about how you configured the module's settings? How exactly did you take "
an iframe of my site and embedded it in the facebook page" ?
These modules are relatively immature. They're not for the average drupal user. You have to be able to track down issues like this and describe exactly what's going on.
Comment #3
rc2020 commentedOk. I have since removed the code as I deleted the facebook module in order to regain access to my site, but what happened is that I took an iframe of my entire page, and used that as my test facebook page. When a few users came to my site, my site wouldn't authenticate me and locked me out of all administrator functions.
By iframe of my entire page, I set the facebook app settings to use iframe, and I embedded lifeundersun.com/googlemaps to show up on my facebook app page. The entire page (that you would see if you went to the url provided) showed up in the facebook app page.
Is there any more information that I could find for you that would be necessary to help you track down the problem?
Comment #4
Dave Cohen commentedWhen you say, "I embedded lifeundersun.com/googlemaps to show up on my facebook app page," I have no idea what you're talking about.
Are you even using the fb modules? Have you read the README.txt?
Comment #5
rc2020 commentedYes.
Yes I was using the fb module, yes I have read the README text. Perhaps I am not explaining it step by step, but I've made a few sites on drupal and the one I am discussing has alot of functionality and ive used alot of modules and done alot of work to make that happen, so I have a pretty good idea of what I'm doing. I wouldn't report something as a security issue unless I thought it was legitimate.
What I mean by embedding:
On the Fb module settings page, and on my application settings page, I had the front page of my website as the canvas page. So www.example.com/ was the page I had it set to as my application canvas page. With the radio box of IFRAME or FBml I had IFRAME checked. I had the option set for a facebook user using my application and thus viewing the canvas page through facebook to have the same permissions as "authenticated user."
When facebook users went on my site, by looking at my specified canvas page, reaching it from the iframe of my page specified on apps.facebook.com, I was locked out. It said there were 2 users online, and they were like 959205@facebook. When they were logged on, I had total loss of control of my website, couldn't access any administration pages, couldn't log out, couldn't log in. I was basicially in limbo. Flushing cache, authenticated sessions, multiple browsers, multiple computers, all did nothing.
I had to disable the module manually by deleting it and by going into my database and manually deleting the user from the user table. Because of that I don't have a picture perfect step by step breakdown of what happened. I know this isn't ideal, and I can search my logs to see what I can find, but all I know is: A drupal user (me) installed this module and it locked him out of his site. Your module is awesome, and it will can definitely revolutionize alot with drupal and facebook integration. But it won't if it locks people out of their site, and I want to help you find the solution so it doesen't happen again, but I don't know how much more specific than that I can get.
Comment #6
Dave Cohen commentedIf you mean that www.example.com/ is the callback URL you specified on the facebook app settings page, that is probably the cause of your problem. When you create a Facebook Application (Drupal node), the node will tell you what to use as the callback URL, and a number of other fields for the settings form (on facebook). If you use anything other than what the node tells you to use it will not work.
Enable the fb_devel module, and enable the block that module provides. It will show you some details when you visit a canvas page. If the above does not solve your problem, paste the contents of that block to this issue and I might be able to help.
Comment #7
Letharion commentedSince Drupal 5 is no longer supported, I'm taking the liberty to close all FB D5 support requests.