<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Invision Power Board v2.1.4 - session hijacking



Hans,

My problem with this report is this:

1) You've not even read the IPB code. You've stated elsewhere that "using 
sessions in the URL may appear in JS pop-up windows". IPB does NOT do this. IPB 
removes the session ID for all links, including JS code when cookies are 
enabled.

2) You're missing the point. As stated elsewhere, IPB uses a similar session 
tracking method to both PHP's own session handler and other proprietry methods.

3) Security isn't derived from one not being able to authenticate as the user 
by knowing their session ID, user IP and user agent - it's by making it 
extremely difficult to gather this information in the first place.

Lets look at this objectively. How are you going to know what another users 
session ID is unless they post a link to a site they're active on in a blog 
entry? Lets say they post a link to a board on their blog entry. First, their 
session will expire after 30 minutes of no activity - so a potential hacker has 
a 30 minute window to find out their IP address and user agent.
I'm not stupid enough to say that can't be done; but I am realistic to know 
that no one is going to go to that trouble when they could invest that time in 
attacking the server in other ways.

Finally, I've been using this session code for over 5 years in various products 
and I know not of a single case where one has had their session hijacked using 
any methods you've stated.

Yes, in an office environment, if one "forgets" to log out and close the 
browser window, anyone else who has access to that machine will be logged in as 
that user - but that is not IPBs responsibility any more than it is a car 
manufacturers responsibility to ensure that a car cannot be stolen when the 
alarm is disengaged and the keys in the ignition.

Regards,

Matt