11
ajaxbr
Re: Session hijacking vulnerability in XOOPS 2.0.7.3
  • 2004/11/27 18:19

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Hey chrisis, any feedback on this?
If you're afraid of trying these tricks, I can give you an admin session link so you can login in my site as these hackers wannabe do in yours and we can test it there... PM me and we can set it up

12
JasonMR
Re: Session hijacking vulnerability in XOOPS 2.0.7.3
  • 2004/11/27 22:05

  • JasonMR

  • Just can't stay away

  • Posts: 655

  • Since: 2004/6/21


ajaxbr ... the idea of trying to replicate what happened is brilliant...if you guys pull this through, could you keep protocol, and make it available to dev's over in the forums ofhttp://dev.xoops.org ?

t

13
chrisis
Re: Session hijacking vulnerability in XOOPS 2.0.7.3
  • 2004/11/30 4:07

  • chrisis

  • Just popping in

  • Posts: 17

  • Since: 2004/7/2 2


Quote:

ajaxbr wrote:
Hey chrisis, any feedback on this?
If you're afraid of trying these tricks, I can give you an admin session link so you can login in my site as these hackers wannabe do in yours and we can test it there... PM me and we can set it up


Hiya -- thanks for your concern. Unfortunately "it never rains, but it pours" in my case. My ISP decided to "upgrade" their management tools and as a result deleted access to phpmyadmin access to my db. They are experiencing massive problems so I couldn't even phone them for help -- had to email them and wait for a reply!

Which I have now got. I've emptied the session table. Going to go home now and do a test to see if that has resolved the problem. Will let u guys know as soon as I have a result.

14
irmtfan
Re: Session hijacking vulnerability in XOOPS 2.0.7.3
  • 2004/11/30 5:53

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


i dont know my problem is related to this topic or not. but my exact problem is some of my users login with the other ids.
i reinstall "remember me" hack but this dont solve the problem and now i see this topic and empties "xoops_session" table and waiting for feedback from my users.
i nearlly sure this is an ip problem cause they havent valid ips.
now im waiting for feedbacks
thanks for your tips
[edit]
i forgot to say im using xoops2.0.9 beta version now but i have this problem with xoops2.0.7.3 too
[/edit]

15
chrisis
Re: Session hijacking vulnerability in XOOPS 2.0.7.3
  • 2004/11/30 7:04

  • chrisis

  • Just popping in

  • Posts: 17

  • Since: 2004/7/2 2


OK, I emptied the xoops_sessions table, with no joy. If I login, a new session is created in the xoops_sessions table that is linked to my ip address.

A friend then clicks the link and bingo, he's in, but the sessions table doesn't update -- stays the same including my IP address the only one listed. He then logs out, and attempts to login with his own account, not using the hack -- my session is removed from the table and one is opened with his IP address.

This behaviour is beyond me.

I'm assuming that I may have to revert back to getting rid of the "remember me" hack, but I don't know if that is going to solve the problem (I seem to recall a similar problem before, but I might have sequences wrong in my recall).

What worries me is that this vulnerability seems to be oblivious of the actual php/html of the pages served -- it gains access by going directly to the database. Do you think if I replace all my php files I will clear out the "Remember Me" hack and thus close the hole? I am trying to get hold of the developer that set it up for me, as the only choice I have is to get rid of the hack and restore my site to not being vulnerable, or move to a different CMS. Which I don't want to do as I love xoops.

Anyway, some comments on removing the remember me hack would be much appreciated.

16
ajaxbr
Re: Session hijacking vulnerability in XOOPS 2.0.7.3
  • 2004/12/1 11:23

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Well, let me see if I got this right: the old link, the one listed in an IRC channel, did stop working but now you can do it again with a new session value? If this isn't the case, we need to understand how/where the sessionid is being kept (could be a cookie?), but if you got a brand new sessionid... let's say we'll have to think a bit harder to try to solve that

I don't think that session hijacking needs the remember me hack, because when I monitor my xoops_sessions the same session is used for my IP when I log in again (same user, same IP). Now, since that table stores both session ID and IP, it seems logical that some kind of check using the IP should be happening and I'm not sure if it is (or whether the hack could have removed that).

Again, if any of you want to explore this kind of issue in my server, PM me and we can work it out.

17
chrisis
Re: Session hijacking vulnerability in XOOPS 2.0.7.3
  • 2004/12/3 4:00

  • chrisis

  • Just popping in

  • Posts: 17

  • Since: 2004/7/2 2


No, it's still the old link. The original link with a phpsessid in it STILL gets into the site as the last-logged-in person, despite emptying the sessions table.

It's weird as.

ANyway my site is about to die, it's been down over a week now. I'm going to try copy over the files on my site with a default clean set downloaded from here... if that doesn't work I will switch to a new CMS.

18
LazyBadger
Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Quote:

I'm going to try copy over the files on my site with a default clean set downloaded from here... if that doesn't work I will switch to a new CMS.

You problem is more problem of your PHP-settings, than XOOPS, and even with fresh install or another CMS you can get same headache.
Why not disable session.trans_sid totally?
Or play also with sessions management (session type and session timeout)? Currently your sessions haven't timeouts

19
javier
Re: Session hijacking vulnerability in XOOPS 2.0.7.3
  • 2005/5/8 20:52

  • javier

  • Not too shy to talk

  • Posts: 184

  • Since: 2002/8/6 1


This problem is in XOOPS 2.0.10 too?

Because i having the same problem in 2.0.10, exist any way to fix this?

best regards

20
Mithrandir
Re: Session hijacking vulnerability in XOOPS 2.0.7.3

you can disable session.trans_sid in your PHP settings, but since it is a PHP thing, we can not do much about it in XOOPS itself.

Disabling the trans_sid will make it mandatory for users to enable cookies, which is a fair assumption for most sites, I'd say, but not one we can enforce completely in the XOOPS core as there may be situations where a webmaster will want to allow cookie-blocking users (I believe PDA's don't store cookies, but there may be other examples, too) and it would be rather annoying if XOOPS blocked this possibility altogether.

Login

Who's Online

216 user(s) are online (47 user(s) are browsing Support Forums)


Members: 0


Guests: 216


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits