Frequently Asked Questions
Feb 21, 2024 - 12:43am
Frequently Asked Questions Common Problems and Solutions
How did my users get Sysop or Host Privileges?
Rate This FAQ
(Not yet rated)
Created On: 15 Feb 2002 7:13 am
Last Edited: 4 Mar 2013 9:32 am
It appears that there is security problem with Web Crossing. Suddenly I have regular users which appear to have sysop or host access!
Related: unregistered/not logged in user becomes logged in as (another) user after clicking on an external hyperlink (web site or email source).
Firstly, take comfort in the fact that Web Crossing has been ethically hacked by a third party and found to be secure.
When users suddenly appear to have gained access for which they should not have, it is always due to one or more of the following reasons:
- A host or sysop has placed a hyperlink OUTSIDE of Web Crossing, leading to an item within Web Crossing, but failed to remove their user certificate from the URL (the user certificate is everything between the @ signs...the Web Crossing URL format is explained here in your documentation). A users certificate is valid for the amount of time specified in the General settings Control Panel "Minutes of inactivity until automatic logout". On an active site it is possible for other users to utilize the hyperlink before this period of time has elapsed, keeping the certificate valid. One way to help combat this is to turn on "A user certificate is only valid if it comes from the same IP address" in the Registered Users control panel or use the "HTTP Basic/Digest" login options available in 5.0+.
For example, a hyperlink URL shouldn't look like this: http://firstname.lastname@example.orgAEaP5aazO^2@.ee6d8c, but should be http://yoursite.com/webx?14@@.ee6d8c
- Someone has accidently changed the Access List for a given area (or the entire conference), giving users HOST access. Or has created a conflict via overriding Access Group(s)
- The Sysop has accidently or unknowingly given host like privileges to users by confering too many rights to them in either or both Control Panels for Registered or Guest users (example...checking off any or all boxes in "Edit existing items at all levels" or "Delete existing items at all levels").
- Custom macros (often custom toolbars) that do not take user access levels into account.
- The sysop or host(s) password has been compromised or shared.