[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060317092649.20195.qmail@securityfocus.com>
Date: 17 Mar 2006 09:26:49 -0000
From: matt@...isionpower.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Invision Power Board v2.1.4 - session hijacking
Hans,
My problem with this report is this:
1) You've not even read the IPB code. You've stated elsewhere that "using sessions in the URL may appear in JS pop-up windows". IPB does NOT do this. IPB removes the session ID for all links, including JS code when cookies are enabled.
2) You're missing the point. As stated elsewhere, IPB uses a similar session tracking method to both PHP's own session handler and other proprietry methods.
3) Security isn't derived from one not being able to authenticate as the user by knowing their session ID, user IP and user agent - it's by making it extremely difficult to gather this information in the first place.
Lets look at this objectively. How are you going to know what another users session ID is unless they post a link to a site they're active on in a blog entry? Lets say they post a link to a board on their blog entry. First, their session will expire after 30 minutes of no activity - so a potential hacker has a 30 minute window to find out their IP address and user agent.
I'm not stupid enough to say that can't be done; but I am realistic to know that no one is going to go to that trouble when they could invest that time in attacking the server in other ways.
Finally, I've been using this session code for over 5 years in various products and I know not of a single case where one has had their session hijacked using any methods you've stated.
Yes, in an office environment, if one "forgets" to log out and close the browser window, anyone else who has access to that machine will be logged in as that user - but that is not IPBs responsibility any more than it is a car manufacturers responsibility to ensure that a car cannot be stolen when the alarm is disengaged and the keys in the ignition.
Regards,
Matt
Powered by blists - more mailing lists