Re: Invision Power Board v2.1.4 - session hijacking

To: matt@xxxxxxxxxxxxxxxxx
Subject: Re: Invision Power Board v2.1.4 - session hijacking
From: Hans Wolters <hans.wolters@xxxxxxxxx>
Date: Thu, 16 Mar 2006 18:45:44 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20060316145514.29843.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060316145514.29843.qmail@xxxxxxxxxxxxxxxxx>

Matt,

On 16-mrt-2006, at 15:55, matt@xxxxxxxxxxxxxxxxx wrote:

This report is ridiculous and quite frankly shows that the authordoes not understand how IPB works.
Yes, the author is correct in finding that if you: copy the user'sIP address, copy the user's user-agent and copy the user's sessionID then they can "hijack" your session.
That's because, to all intents and purposes you are the same person.

A stateless HTTP application HAS to authenticate against SOMETHING.
This report is bogus. Feel free to relabel it "Stateless HTTPauthentication potential vulnerability" and remove it from InvisionPower Board's category.

You finally answered, that is something. We can continue thisdiscussion here so you can't close

the topic like you did on the Invision Board site.

I will state again what the problem is:

1. Users behind a proxy that do not initiate the X-FORWARDED-FORheader will all have the same

    ipnumber.

2. A user using an OS that can close the Desktop session withoutkilling the applications like the browserwill possible still be logged in into the targeted InvisionBoard site.

Both situations will make it easier to hijack the session once it isinstalled on a server with tranparent sessions.

You stated that the user agent can be used for additional checks. Letme state that it is very easy to fake that. Once you can get thespecific user to visit a site where the session id is disclosed youhave both the session id and the user agent. At that moment you willbe able to login as that user _if_ you have the same ipnumber (behinda proxy for instance).

Faking the user agent itself can be done with lots of tools or evenat the command line.

As for hiding the session id, in certain situations it will keepshowing up not matter what you do. Popups, javascript, etc.. You mustbe absolutely sure this will not take place.

One last thing, you might be right when you state that I do not knowhow the board works, however, I do not need to know since the sessionhijacking itself reveals how it works, you are not checking enough incertain situations. Since this is not open source I can't check it(not willing to buy a version if I will not use it).

Matt, as stated in the original posting I tried to contact you twicebefore I disclosed the information. You are making yourselfridiculous (to use the words you like to use) in front of all yourcustomers. Be a good sport, think about how

you want to fix this and patch the board.

Kind regards,

Hans

Follow-Ups:
- Re: Invision Power Board v2.1.4 - session hijacking
  - From: exon

References:
- Re: Invision Power Board v2.1.4 - session hijacking
  - From: matt

Prev by Date: Re: Linux zero IP ID vulnerability?
Next by Date: Remote overflow in MSIE script action handlers (mshtml.dll)
Previous by thread: Re: Invision Power Board v2.1.4 - session hijacking
Next by thread: Re: Invision Power Board v2.1.4 - session hijacking
Index(es):
- Date
- Thread