Blog Documentation Try Vanilla Cloud
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Vanilla 2.1 not saving in the Session table/ setting the Session cookie [Secury Attack]

brataobratao New
in Vanilla 2.0 - 2.8

Hello,
I was trying to implement an SSO , but using vanilla as the login provider. I'm, using the 2.1a33
I was trying to intercept the VanillaSession cookie and checking against the database, but now , for no reason Vanilla stopped to produce this cookie, and is not populating the database anymore.

By debugging looks like Vanilla is using this Vanilla cookie, that have 5 things thereto separated by |

($HashKey, $CookieHash, $Time, $UserID, $Expiration)

As the Hashkey and CookieHash is not stored anywhere, and they have public algorithms, I can craft a cookie and impersonate any user by just setting the userid and hashing it.

I really don't know what make my vanilla installation stop using the Session table and VanillaSession cookie, but just to make a warning that this behavior can be very insecure.

Comments

  • Options
    brataobratao New

    Forgot about it, I didn't realized that this hash is salted.

  • Options
    x00x00 MVP

    Well naturally, there is more to that still.

    If you have concern like this the for it is on github.

    grep is your friend.

Sign In or Register to comment.