lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 17 Mar 2006 09:26:49 -0000
From: matt@...isionpower.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Invision Power Board v2.1.4 - session hijacking


Hans,

My problem with this report is this:

1) You've not even read the IPB code. You've stated elsewhere that "using sessions in the URL may appear in JS pop-up windows". IPB does NOT do this. IPB removes the session ID for all links, including JS code when cookies are enabled.

2) You're missing the point. As stated elsewhere, IPB uses a similar session tracking method to both PHP's own session handler and other proprietry methods.

3) Security isn't derived from one not being able to authenticate as the user by knowing their session ID, user IP and user agent - it's by making it extremely difficult to gather this information in the first place.

Lets look at this objectively. How are you going to know what another users session ID is unless they post a link to a site they're active on in a blog entry? Lets say they post a link to a board on their blog entry. First, their session will expire after 30 minutes of no activity - so a potential hacker has a 30 minute window to find out their IP address and user agent.
I'm not stupid enough to say that can't be done; but I am realistic to know that no one is going to go to that trouble when they could invest that time in attacking the server in other ways.

Finally, I've been using this session code for over 5 years in various products and I know not of a single case where one has had their session hijacked using any methods you've stated.

Yes, in an office environment, if one "forgets" to log out and close the browser window, anyone else who has access to that machine will be logged in as that user - but that is not IPBs responsibility any more than it is a car manufacturers responsibility to ensure that a car cannot be stolen when the alarm is disengaged and the keys in the ignition.

Regards,

Matt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ