1
wammes
Is xoops Firesheep vulnerable?
  • 2010/10/27 8:05

  • wammes

  • Not too shy to talk

  • Posts: 101

  • Since: 2002/1/3 1


Hello,

I saw a news post about firesheep on my twitter. http://codebutler.com/firesheep

Is xoops vulnerable to this?

Thanks!

2
ghia
Re: Is xoops Firesheep vulnerable?
  • 2010/10/27 10:34

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Yes, all websites that use http to login are vulnerable.
It happens when you are on a public network as eg WiFi.
In your own home/office network you have to trust your companions.
Direct ends are save as eg analog or ADSL modems.
Cable modems and mobile networks, I'm not sure, but think not safe.

Only the general measure of having the site accessed with SSL (https) when logged in is safe. Problem here is that many hosters don't provide at all SSL for their websites, or at an higher cost.

Also when you log in normally, the password is sent as clear text. There is an https login form possible by changing the preferences and you have to use the dialog from the extras directory.

These are not features of XOOPS, but all CMS and websites operates in that way and are equaly vulnerable.


3
wammes
Re: Is xoops Firesheep vulnerable?
  • 2010/10/27 11:42

  • wammes

  • Not too shy to talk

  • Posts: 101

  • Since: 2002/1/3 1


Ghia,

Thanks for comprehensive answer. I completely understand. You cannot do something with a token or so. It is just that the username and password is sent without encryption. Didn't know that http is that unsafe. See if I can get ssl for my websites...

Greetings

4
neogabo
Re: Is xoops Firesheep vulnerable?
  • 2010/10/28 7:07

  • neogabo

  • Just popping in

  • Posts: 22

  • Since: 2009/11/9


In fact, firesheep is not stealing your user and password credentials , but your browser cookies.


Cookies + Same Public IP = HACKED


let me explain a litle bit:

If u are using a Wifi router then u must know that not encripted wifi networks are all vulnerable, but not the encripted ones(not really).

Now the thing is that with WEP the user that has a decrypt key(those that are loged in the router, can access internet) can hear and decrypt any loged user data. They have your cookies.

With Wap and Wap2 this was modified. But in the last defcom conference someone(i dont know who) showed a bug that allowed any loged user to decrypt other loged users data. So they have your cookies too.

So... the things is that firesheep can steal your cookies and then use those cookies to make the site think that is the correct user. Remember that if the 2 users are using the same wifi router u have the same public ip address.


SO: HACKED xD

Bank accounts, facebook accounts, twitter accounts .. . . .. . . .. .

ANYTHING!

EDIT:
ANYTHING! (Without the correct SSL protection)

Login

Who's Online

138 user(s) are online (95 user(s) are browsing Support Forums)


Members: 0


Guests: 138


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits