Re: Session hijacking vulnerability in XOOPS 2.0.7.3 [Xoops Bug Reports]

11

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/27 18:19
ajaxbr
Quite a regular
Posts: 276
Since: 2003/10/25

Hey chrisis, any feedback on this?
If you're afraid of trying these tricks, I can give you an admin session link so you can login in my site as these hackers wannabe do in yours and we can test it there... PM me and we can set it up

12

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/27 22:05
JasonMR
Just can't stay away
Posts: 655
Since: 2004/6/21

ajaxbr ... the idea of trying to replicate what happened is brilliant...if you guys pull this through, could you keep protocol, and make it available to dev's over in the forums of http://dev.xoops.org ?

t

13

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/30 4:07
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

Quote:

ajaxbr wrote:
Hey chrisis, any feedback on this?
If you're afraid of trying these tricks, I can give you an admin session link so you can login in my site as these hackers wannabe do in yours and we can test it there... PM me and we can set it up

Hiya -- thanks for your concern. Unfortunately "it never rains, but it pours" in my case. My ISP decided to "upgrade" their management tools and as a result deleted access to phpmyadmin access to my db. They are experiencing massive problems so I couldn't even phone them for help -- had to email them and wait for a reply!

Which I have now got. I've emptied the session table. Going to go home now and do a test to see if that has resolved the problem. Will let u guys know as soon as I have a result.

14

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/30 5:53
irmtfan
Module Developer
Posts: 3419
Since: 2003/12/7

i dont know my problem is related to this topic or not. but my exact problem is some of my users login with the other ids.
i reinstall "remember me" hack but this dont solve the problem and now i see this topic and empties "xoops_session" table and waiting for feedback from my users.
i nearlly sure this is an ip problem cause they havent valid ips.
now im waiting for feedbacks
thanks for your tips
[edit]
i forgot to say im using xoops2.0.9 beta version now but i have this problem with xoops2.0.7.3 too
[/edit]

15

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/30 7:04
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

OK, I emptied the xoops_sessions table, with no joy. If I login, a new session is created in the xoops_sessions table that is linked to my ip address.

A friend then clicks the link and bingo, he's in, but the sessions table doesn't update -- stays the same including my IP address the only one listed. He then logs out, and attempts to login with his own account, not using the hack -- my session is removed from the table and one is opened with his IP address.

This behaviour is beyond me.

I'm assuming that I may have to revert back to getting rid of the "remember me" hack, but I don't know if that is going to solve the problem (I seem to recall a similar problem before, but I might have sequences wrong in my recall).

What worries me is that this vulnerability seems to be oblivious of the actual php/html of the pages served -- it gains access by going directly to the database. Do you think if I replace all my php files I will clear out the "Remember Me" hack and thus close the hole? I am trying to get hold of the developer that set it up for me, as the only choice I have is to get rid of the hack and restore my site to not being vulnerable, or move to a different CMS. Which I don't want to do as I love xoops.

Anyway, some comments on removing the remember me hack would be much appreciated.

16

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/12/1 11:23
ajaxbr
Quite a regular
Posts: 276
Since: 2003/10/25

Well, let me see if I got this right: the old link, the one listed in an IRC channel, did stop working but now you can do it again with a new session value? If this isn't the case, we need to understand how/where the sessionid is being kept (could be a cookie?), but if you got a brand new sessionid... let's say we'll have to think a bit harder to try to solve that

I don't think that session hijacking needs the remember me hack, because when I monitor my xoops_sessions the same session is used for my IP when I log in again (same user, same IP). Now, since that table stores both session ID and IP, it seems logical that some kind of check using the IP should be happening and I'm not sure if it is (or whether the hack could have removed that).

Again, if any of you want to explore this kind of issue in my server, PM me and we can work it out.

17

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/12/3 4:00
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

No, it's still the old link. The original link with a phpsessid in it STILL gets into the site as the last-logged-in person, despite emptying the sessions table.

It's weird as.

ANyway my site is about to die, it's been down over a week now. I'm going to try copy over the files on my site with a default clean set downloaded from here... if that doesn't work I will switch to a new CMS.

18

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/12/3 5:29
LazyBadger
Home away from home
Posts: 1187
Since: 2004/6/7 9

Quote:

I'm going to try copy over the files on my site with a default clean set downloaded from here... if that doesn't work I will switch to a new CMS.

You problem is more problem of your PHP-settings, than XOOPS, and even with fresh install or another CMS you can get same headache.
Why not disable session.trans_sid totally?
Or play also with sessions management (session type and session timeout)? Currently your sessions haven't timeouts

19

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2005/5/8 20:52
javier
Not too shy to talk
Posts: 184
Since: 2002/8/6 1

This problem is in XOOPS 2.0.10 too?

Because i having the same problem in 2.0.10, exist any way to fix this?

best regards

20

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2005/5/8 21:46
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

you can disable session.trans_sid in your PHP settings, but since it is a PHP thing, we can not do much about it in XOOPS itself.

Disabling the trans_sid will make it mandatory for users to enable cookies, which is a fair assumption for most sites, I'd say, but not one we can enforce completely in the XOOPS core as there may be situations where a webmaster will want to allow cookie-blocking users (I believe PDA's don't store cookies, but there may be other examples, too) and it would be rather annoying if XOOPS blocked this possibility altogether.

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}