Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Critical Security Bug

TeddyTeddy
edited November 2005 in Vanilla 1.0 Help
I just wanted to make everyone aware of a bug that I just found out about (I have sent a bug report to lussumos mail). I'll just cite myself:

Title: Critical Security Bug and a less important one

Ok, first the less important one.

I have found some visual problems when running Freebsd 5.4 (on a AMD64) with Firefox and Konqueror. Take a look at this screenshot: http://zetterlund.biz/buggg.png


And now the critical security bug which I'm supprised haven't been noticed yet.

Well it's not much to say, I was posting a link to a thread in my vanilla forum to a friend and didn't think much else of it but when he opened it in his browser he noticed that he got logged in as ME! I'm the administrator on my forum, he is nothing but a normal user - lucky me that he's a friend. When he found out he told me and tried posting with my name, and that worked. He also changed some stuff in settings to try it out and also that worked fine!

From what we can tell the problem is that PHPSESS was in the URL that I gave him, which average user would think of that? I should have done that but I was tired and... really it shouldn't happen. Anyways I got a screenshot but it's nothing special about it, it looks like he is logged in like me: http://zetterlund.biz/error2.png

Cheers,
Teddy

Comments

  • MinisweeperMinisweeper New
    Hmm...interesting. I'm not sure if this is avoidable when you're throwing sessions around but i wasnt aware they could work in this way. And i must admit i've never noticed the session being chucked around in the url when i've been browsing round vanilla. Is it always there when you use your forum?
  • TeddyTeddy
    edited November 2005

    No it's not. Immediatly after we found out that he got logged in as me and we tested if it really worked, I sent him a new URL and that time there was no PHPSESSID so then it worked as it should.

    -- PAUS --

    Just before I posted this now I had to test again but now I can't get the sessid in the url, so I'm not completely sure what triggered it but still, it's not acceptable :)

    Edit

    I apologise if this sounds like a dig at you in any way, believe me it's not...

    Heh, I didn't think of it that way until you pointed it out, hehe ;)

  • MinisweeperMinisweeper New
    Admittedly it's not really acceptable, no - but i'd have to see marks take on this. There are instances when phpsess variables are passed in the url but these are rare and (imo) a fault of the system. Whats more, if you're supplying the server with a valid php session then it has no reason to believe (and i assume it would be difficult to build a checker for) that you arent the owner of that session. The chances of a rogue user being able to guess that session variable in order to compromise your account are almost non existant. The only way someone could get access to that (i believe) is if you gave them it. In which case while it is technically a security issue, it's also a major user error. I apologise if this sounds like a dig at you in any way, believe me it's not, I'm just trying to think of this from a development point of view and to my knowledge in such an instance account security reaches a dead end. Nevertheless, i'm sure someone with a deeper knowledge of phpsessions will soon be here to correct me where i'm wrong and offer a solution - in which case i thank you for bringing this bug to attention.
  • shad0w913shad0w913
    edited November 2005
    Can't Vanilla just check the IP's before loading up the session? Admittedly, you could spoof an IP, but it would definately help. This is definately a huge security hole, however. Anyone can mistakenly post up a link with a session id in it...
  • lechlech
    I noticed the "logged in as" bug a few months back and mentioned it to mark. Mark and I have argued (with another user) that it's likely a result of a php setting on the server which translates the phpssid's over to the url (which supposedly shouldn't be displayed). Regardless, I'm told that in the next version, if this little bug does rear it's ugly little head in the future, Vanilla should shoot down the attempt to access that url and request the user to log in etc. For the record, if your Vanilla is behaving this way, chances are that you spreading links of your activity are not secure and any user who does get that link has some control over the account which it is linked to.
  • MarkMark Vanilla Staff
    edited November 2005
    This is actually not a bug, believe it or not - it is a php configuration issue on your server. If you read this page, you'll get a better understanding of the problem:

    http://ca.php.net/manual/en/ref.session.php

    The long and short of it is that vanilla uses the php session handling code to deal with user sessions, and PHP can be configured to pass session information in the url. PHP then uses that session information to keep track of who you are as you navigate a site while signed in. If you copy that session information from the url and give it to someone else, there is no way for php to distinguish you from that person (or vice versa).

    Of course I could build some wacky code into vanilla to also have some kind of ip recognition information in your session, but IP addresses change and I hate the thought of the bugs that could come out of that type of code. Example: Someone writes a long reply to a discussion, during which time their IP address changes. They hit the save button and are immediately signed out when their ip check fails and they lose their big comment.

    Now, I am aware of the issue, and I have taken precautions to ensure that it doesn't completely destroy a person to have their session id stolen. For example, there is no way for someone with a stolen session to see or change your password. So, they can only "be you" for as long as the session lasts - which is a finite amount of time.

    To really fix the problem, I'll quote the PHP manual (from the url above):

    The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it. ... if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies.

    Now, as some of you know, Vanilla's session management code will be very easy to change through extensions in the next rev. If you want to do something like an IP check, it will be very easy for you to write an extension to do so. However, I currently have no plans of changing my session management for the next rev as I do not consider this to be a bug. I do, however, plan on documenting it and making it very clear to people what should be done *during the install* of vanilla.
This discussion has been closed.