How Secure is Vanilla?

Mark W

Login from computer A. Login from computer B. Change password. Both stay logged in. Create a Vanilla install in another folder on your domain. Login. Switch to the first install.Post. User posts as if they were a different user - all it took was the cookie with the right user ID. Now imagine someone purposefully doing this (it's not hard to spoof a domain). I really think authentication should be taken a little more seriously.

aloicious

Perhaps a suggestion for a fix would save time and hassle?

Minisweeper

Initially, vanilla would only let you login from one computer at a time. People complained. Lots of people. Mark changed it so you could login from more than one. People were happy. I'm not sure about the changing password thing.

As for running 2 instances of vanilla on the same domain, unless you tell vanilla to use different cookie names it wont do. If you do it shouldnt have any problems. If you could prove that you could setup a cookie with a spoofed domain and post to vanilla using it, then *that* would be interesting.

ithcy

so you're saying that if you set up your server in a completely insecure way, it'll be insecure?

fascinating! be sure to keep us updated!

Mark W

Scenario: I am a hacker (I'm really not). I register for lussumo.com/community. I change my hosts file to point lussumo.com to another server I control & install vanilla in /community. I set myself up as administrator (account 1). I now have a cookie that says I'm the administrator of a forum at lussumo.com/community. I now change my hosts file so I can visit lussumo.com/community here, butn keep the cookies from my install. What happens? Based on my experience of having two vanilla installs on the same server with the same cookie names, I know that if I post, it will appear as if it's coming from whoever has Account 1. After the first post, Vanilla re-writes the cookie, but it's not exactly difficult to copy & restore old cookies. Therefore I can spoof anyone on the forum that I want to. It may be possible, but I'm not sure, that I will actually get all the rights & access of the person with account 1. It may be possible to gain access to an otherwise private forum. Again, I'm not sure. Even if you change the cookie names, all you're doing is changing the cookie names - it's not exactly hard for me to change them on my install too. Perhaps changing cookie names will help a private forum stay private (the hacker would have to guess the name of the cookies - unless vanilla places these cookies even on the login page). ithcy - don't be such a tool, what I'm posting isn't as trivial as your sarcastic comment makes it out to be. As far as suggestions - perhaps hashing the cookie with an ID that is unique per-install & checking against known hashes. This way each install has a unique set of cookies that can't easily be reproduced. I'm not an expert, the vanilla developers are supposed to be the experts.

Mark W

Basically, here's what happened. I have two vanilla installs on my domain. For example, /community and /foo. One member signed up for both, but is member 16 in /community and member 4 in /foo. He logged in to /foo & posted. He then switched over to /community, where he was already logged in & posted. It appeared as if it came from member 4. So I *know* you can spoof an ID with a cookie.

Mark W

I've since changed the cookies, but that can't stop the type of spoofing I'm talking about.

Minisweeper

Have you actually got a proof of concept here? I spent the last 10 minutes trying but havent managed it yet (I'm no exper though) and I've gotta go to a gig. I'll have another bash later but though it's an interesting theory.

ithcy

sorry, Mark, I was trying to be funny and it didn't come out right. I didn't mean to sound so sarcastic.

NickE

You can spoof a user id, yes, but it won't do anything because vanilla also relies on the second cookie -- the verification key -- to authenticate you. So I could set my cookie user id on this forum to 1, and delete my session id, but it will only log me out because my verification key and user id won't match. If you actually look at how the Authenticator class logs you in/verifies your session, you would know it's not that simple to successfully spoof a user's cookies.

addicted

Security isn't my field but couldn't you give cookies a random idea combined with the password and sha1ed to protect user data?

Minisweeper

You never put a users password into their cookie. But there is a key which is a mixture of information encoded in a certain way (I forget how, now, but there was a guy came on here with a theory about insecurity a while back and mark updated the method then which made it more secure). What i'm a little confused about is how you can post across 2 boards on the same domain if they have different verification keys (which presumably they do)?

addicted

What about creating a new jibberish and encrypted ID when ever you login?

Mark W

I'll try something in the next few days. No promises though, I have two exams I have to study for & don't really have time to much with it. To duplicate it, you could (for example) 1. Install vanilla in /one 2. Create a 2nd user ID 3. Log out as the 2nd user, log in as the 1st user. 4. Install vanilla in /two 5. Create a 2nd user ID, stay logged in as the 2nd user. 6. Switch to /one & post. Even if you're logged in to /one with user ID1, it will post it as if it was user ID2. Subsequent posts will appear to be from user ID1 - apparently posting resets the user ID cookie.

Minisweeper

Yeah I know that works (and can be easily fixed by changing the cookie names on one of the boards), I was talking more cross-domain spoofing stuff.

Dinoboff

I think, it is because your 2 installations have the same "$Configuration['SESSION_USER_IDENTIFIER']"