[<prev] [next>] [day] [month] [year] [list]
Message-ID: <94651edb0706221118g7d8739bdy8f8d7b22d9652455@mail.gmail.com>
Date: Fri, 22 Jun 2007 23:48:53 +0530
From: "Susam Pal" <susam@...am.in>
To: full-disclosure@...ts.grok.org.uk
Subject: Orkut Server Side Session Management Error
Orkut Server Side Session Management Error
The most recent version of this document is available at:-
http://susam.in/security/advisory-2007-06-22.txt
Release date:-
22 June, 2007
Type:-
Session management error
Authors:-
Susam Pal, Vipul Agarwal
Researchers:-
Susam Pal, Vipul Agarwal, Gaurav Mogre
(Gaurav's input is present in this advisory even though he could not
play a role in writing this advisory.)
Description of normal logout:-
On a successful login, Orkut sets a client side session cookie called
'orkut_state' to keep track of sessions. When a user logs out, the
client side cookie is deleted.
Description of unsuccessful authentication during a session:-
When a user fails to authenticate himself during a session (say, while
deleting a community), the user is redirected to a login page where he
has to enter his password to reauthenticate himself. The user is not
required to enter his user-name again. The user-name is already shown on
the login page and the user is required to enter the password only. In
this case, the client side cookie is not deleted in order to keep track
of the user re-authenticating himself.
Vulnerability:-
Orkut fails to expire or disable the session associated with the
'orkut_state' cookie when the user logs out or fails to authenticate
himself during a session.
Impact:-
1. If an attacker manages to steal this cookie from another user, he
can gain access to the compromised account even after the user has
logged out since the session associated with it is still alive at
the server side.
2. In case of unsuccessful authentication during a session, when the
user finds himself logged out, if he leaves the browser unattended,
a trespasser can login to his account simply by entering a valid URL
for his account or clicking the 'Home' link.
Previous advisory:-
Net-Square Solutions Pvt. Ltd. reported a similar issue to Google on
10 February, 2006 and released an advisory on 31 January, 2007 which
reports the vulnerability to have been fixed with session cookies now
set to expire in 24 hours. This Net-Square advisory is avaiable at:
http://net-square.com/advisory/NS-310107-ORKUT.pdf
However, attacks are still possible before the expiry of the cookies as
described in the previous section. A more secure solution is described
in the next section.
Solutions:-
1. The session associated with 'orkut_state' cookie must expire at the
server side when the user logs out.
2. The session associated with 'orkut_state' cookie must be disabled
temporarily when a user fails authentication during a session. The
session should be enabled only after the user successfully
authenticates himself.
Prevention:-
1. A user logged into Orkut should not run any untrusted JavaScript or
program to prevent the cookie from being stolen.
2. On a shared system, the user must log out of Orkut by clicking the
"Logout" link. This would delete the session cookies at the browser
and another user can not read the cookie value from the browser.
Alternatively, the cookie can be removed from the browser.
Disclaimer:-
This document is published with the hope that it will be useful, but
without any warranty; without even the implied warranty of
merchantability or fitness for a particular purpose. The information in
this advisory should be used for education, research, experimentation,
bug-fixes and patch-releases only. The authors shall not be liable in
any event of any damages, incidental or consequential, in connection
with, or arising out of this advisory.
Contact Information:-
1. Susam Pal
susam@...am.in
http://susam.in/
2. Vipul Agarwal
vipul@...tygeeks.com
http://www.ang-productions.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists