lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 May 2004 16:12:35 +0100 From: Konstantin Gavrilenko <mlists@...ont.com> To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com Subject: Ph0rum phorum_uriauth replay attack Arhont Ltd.- Information Security Arhont Advisory by: Konstantin Gavrilenko (http://www.arhont.com) Advisory: Ph0rum phorum_uriauth replay attack Class: design bug ? Version: 4.3.7 Model Specific: Other version might have the same bug Contact Date: 11/05/2004 (email sent to tomaz@...rum.org) PD* release date: 19/05/2004 DETAILS: It is possible to relogin into the previously not loged out sessions in Ph0rum udner certain conditions. Two criterias have to be fulfilled: - the member has to leave the phorum without logging out. - you have to intercept the hash of his not logged out session or grep it out of web-seerver logs ~ e.g. the intercepted URL or taken straight out of the apache logs http://xxx.xxx.xxx/phorum/profile.php?f=1&id=2&phorum_uriauth=testuser%3Aeb5cd67f6daf1f35d45a24a36355f4b1 post it into mozilla/Opera and you are in. Works both for ph0rum user and admin. maybe it is worthwile to add an auto-expire function for sessions? Risk Factor: Low/Medium Workarounds: Always log out :) *According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer 7 days before releasing them to the public domains (such as CERT and BUGTRAQ). If you would like to get more information about this issue, please do not hesitate to contact Arhont team. -- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web: http://www.arhont.com http://www.wi-foo.com e-mail: k.gavrilenko@...ont.com tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0x4F3608F7 PGP: Server - keyserver.pgp.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists