xoops forums

wammes

Not too shy to talk
Posted on: 2010/10/27 8:05
wammes
wammes (Show more)
Not too shy to talk
Posts: 101
Since: 2002/1/3 1
#1

Is xoops Firesheep vulnerable?

Hello,

I saw a news post about firesheep on my twitter. http://codebutler.com/firesheep

Is xoops vulnerable to this?

Thanks!

ghia

Community Support Member
Posted on: 2010/10/27 10:34
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#2

Re: Is xoops Firesheep vulnerable?

Yes, all websites that use http to login are vulnerable.
It happens when you are on a public network as eg WiFi.
In your own home/office network you have to trust your companions.
Direct ends are save as eg analog or ADSL modems.
Cable modems and mobile networks, I'm not sure, but think not safe.

Only the general measure of having the site accessed with SSL (https) when logged in is safe. Problem here is that many hosters don't provide at all SSL for their websites, or at an higher cost.

Also when you log in normally, the password is sent as clear text. There is an https login form possible by changing the preferences and you have to use the dialog from the extras directory.

These are not features of XOOPS, but all CMS and websites operates in that way and are equaly vulnerable.

wammes

Not too shy to talk
Posted on: 2010/10/27 11:42
wammes
wammes (Show more)
Not too shy to talk
Posts: 101
Since: 2002/1/3 1
#3

Re: Is xoops Firesheep vulnerable?

Ghia,

Thanks for comprehensive answer. I completely understand. You cannot do something with a token or so. It is just that the username and password is sent without encryption. Didn't know that http is that unsafe. See if I can get ssl for my websites...

Greetings

neogabo

Just popping in
Posted on: 2010/10/28 7:07
neogabo
neogabo (Show more)
Just popping in
Posts: 22
Since: 2009/11/9
#4

Re: Is xoops Firesheep vulnerable?

In fact, firesheep is not stealing your user and password credentials , but your browser cookies.


Cookies + Same Public IP = HACKED


let me explain a litle bit:

If u are using a Wifi router then u must know that not encripted wifi networks are all vulnerable, but not the encripted ones(not really).

Now the thing is that with WEP the user that has a decrypt key(those that are loged in the router, can access internet) can hear and decrypt any loged user data. They have your cookies.

With Wap and Wap2 this was modified. But in the last defcom conference someone(i dont know who) showed a bug that allowed any loged user to decrypt other loged users data. So they have your cookies too.

So... the things is that firesheep can steal your cookies and then use those cookies to make the site think that is the correct user. Remember that if the 2 users are using the same wifi router u have the same public ip address.


SO: HACKED xD

Bank accounts, facebook accounts, twitter accounts .. . . .. . . .. .

ANYTHING!

EDIT:
ANYTHING! (Without the correct SSL protection)