<<< Date Index >>>     <<< Thread Index >>>

Re: Invision Power Board v2.1.4 - session hijacking



Matt,

On 16-mrt-2006, at 15:55, matt@xxxxxxxxxxxxxxxxx wrote:

This report is ridiculous and quite frankly shows that the author does not understand how IPB works.

Yes, the author is correct in finding that if you: copy the user's IP address, copy the user's user-agent and copy the user's session ID then they can "hijack" your session.

That's because, to all intents and purposes you are the same person.

A stateless HTTP application HAS to authenticate against SOMETHING.

This report is bogus. Feel free to relabel it "Stateless HTTP authentication potential vulnerability" and remove it from Invision Power Board's category.

You finally answered, that is something. We can continue this discussion here so you can't close
the topic like you did on the Invision Board site.

I will state again what the problem is:

1. Users behind a proxy that do not initiate the X-FORWARDED-FOR header will all have the same
    ipnumber.

2. A user using an OS that can close the Desktop session without killing the applications like the browser will possible still be logged in into the targeted Invision Board site.

Both situations will make it easier to hijack the session once it is installed on a server with tranparent sessions.

You stated that the user agent can be used for additional checks. Let me state that it is very easy to fake that. Once you can get the specific user to visit a site where the session id is disclosed you have both the session id and the user agent. At that moment you will be able to login as that user _if_ you have the same ipnumber (behind a proxy for instance).

Faking the user agent itself can be done with lots of tools or even at the command line.

As for hiding the session id, in certain situations it will keep showing up not matter what you do. Popups, javascript, etc.. You must be absolutely sure this will not take place.

One last thing, you might be right when you state that I do not know how the board works, however, I do not need to know since the session hijacking itself reveals how it works, you are not checking enough in certain situations. Since this is not open source I can't check it (not willing to buy a version if I will not use it).

Matt, as stated in the original posting I tried to contact you twice before I disclosed the information. You are making yourself ridiculous (to use the words you like to use) in front of all your customers. Be a good sport, think about how
you want to fix this and patch the board.

Kind regards,

Hans