lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Proxy - Cookie - PhP - .htaccess Questions

------------------------------------------------------------------
- EXPL-C-2003-001 exploitlabs.com conjecture paper 001
------------------------------------------------------------------

-=- PHP and .htaccess Authorization Bypass Conjecture -=-


 If someone could help me with the implications of this scenario :

you = user-ip
proxy = proxy ip
remhost = host-ip


Open browser via proxy to <hostip> with member forum php/BB type with login
/ pass.
( if im correct this sets a cookie to "maintain state"  for session auth)
do stuff.
Change or turn off proxy in browser.
do more stuff.

Q? Are you still authorized?
C? its looks so
A? dunno really, this is why I wrote this. help-me?


My Opinion:
 I think many or most of these php/BB style forums use the <user-ip> as part
of the cookie making ( baking? yum ) authentication and persistant state
process. It just seems odd that thers no obvious change in the auth, but yet
technically the "you' have gone from <proxy-ip> to <user-ip>. This would
seem to enable a "session sharing" scenario if you could corordinate a
common proxy and a cookie sharing routine to bypass a many restriction...
no? Help me figure this out, it is just hypothetical ( hence the
conjecture ). What about .htaccess? does this violate that protection as
well??? I say ...YES. Comments and FACTUAL, LOGICAL theory are asked upon
this as it may ( could ) change the whole aspect of "location" or "absolute"
auth via a IP protocol. ( or I will be highly embarased as to my high level
ignarami )

Donnie Werner
morning_wood@...loitlabs.com
http://exploitlabs.com  "where finding your hole is job one, and plugging it
is half the fun"

oh.. check out http://frame4.com for your corporate security needs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ