[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6B8F5800-3D9D-4024-BB12-D5DC5C19C827@xs4all.nl>
Date: Thu, 16 Mar 2006 18:45:44 +0100
From: Hans Wolters <hans.wolters@...all.nl>
To: matt@...isionpower.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Invision Power Board v2.1.4 - session hijacking
Matt,
On 16-mrt-2006, at 15:55, matt@...isionpower.com wrote:
> This report is ridiculous and quite frankly shows that the author
> does not understand how IPB works.
>
> Yes, the author is correct in finding that if you: copy the user's
> IP address, copy the user's user-agent and copy the user's session
> ID then they can "hijack" your session.
>
> That's because, to all intents and purposes you are the same person.
>
> A stateless HTTP application HAS to authenticate against SOMETHING.
>
> This report is bogus. Feel free to relabel it "Stateless HTTP
> authentication potential vulnerability" and remove it from Invision
> Power Board's category.
You finally answered, that is something. We can continue this
discussion here so you can't close
the topic like you did on the Invision Board site.
I will state again what the problem is:
1. Users behind a proxy that do not initiate the X-FORWARDED-FOR
header will all have the same
ipnumber.
2. A user using an OS that can close the Desktop session without
killing the applications like the browser
will possible still be logged in into the targeted Invision
Board site.
Both situations will make it easier to hijack the session once it is
installed on a server with tranparent sessions.
You stated that the user agent can be used for additional checks. Let
me state that it is very easy to fake that. Once you can get the
specific user to visit a site where the session id is disclosed you
have both the session id and the user agent. At that moment you will
be able to login as that user _if_ you have the same ipnumber (behind
a proxy for instance).
Faking the user agent itself can be done with lots of tools or even
at the command line.
As for hiding the session id, in certain situations it will keep
showing up not matter what you do. Popups, javascript, etc.. You must
be absolutely sure this will not take place.
One last thing, you might be right when you state that I do not know
how the board works, however, I do not need to know since the session
hijacking itself reveals how it works, you are not checking enough in
certain situations. Since this is not open source I can't check it
(not willing to buy a version if I will not use it).
Matt, as stated in the original posting I tried to contact you twice
before I disclosed the information. You are making yourself
ridiculous (to use the words you like to use) in front of all your
customers. Be a good sport, think about how
you want to fix this and patch the board.
Kind regards,
Hans
Powered by blists - more mailing lists