Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1 not saving in the Session table/ setting the Session cookie [Secury Attack]

brataobratao New
in Vanilla 2.0 - 2.8

Hello,
I was trying to implement an SSO , but using vanilla as the login provider. I'm, using the 2.1a33
I was trying to intercept the VanillaSession cookie and checking against the database, but now , for no reason Vanilla stopped to produce this cookie, and is not populating the database anymore.

By debugging looks like Vanilla is using this Vanilla cookie, that have 5 things thereto separated by |

($HashKey, $CookieHash, $Time, $UserID, $Expiration)

As the Hashkey and CookieHash is not stored anywhere, and they have public algorithms, I can craft a cookie and impersonate any user by just setting the userid and hashing it.

I really don't know what make my vanilla installation stop using the Session table and VanillaSession cookie, but just to make a warning that this behavior can be very insecure.

Comments

  • brataobratao New

    Forgot about it, I didn't realized that this hash is salted.

  • x00x00 MVP

    Well naturally, there is more to that still.

    If you have concern like this the for it is on github.

    grep is your friend.

Sign In or Register to comment.