PEAK XOOPS - possible security issue with autologin hacks & X Cores in englishin japanese

possible security issue with autologin hacks & X Cores

  • You cannot open a new topic into this forum
  • Guests cannot post into this forum
Previous post - Next post | Parent - Children.1 .2 | Posted on 2009/4/30 2:33
vaughan  Lance Corporal   Posts: 37
Hi Gijoe,

I'm not 100% sure this is a high risk, but from the looks of it, it could be a possibile security issue not just with your autologin hacks, but with the actual cores of all xoops versions.

I have already made these changes in impresscms 1.1.2 but thought i'd run this by you for better clarification.

the issue at hand is in the setcookie() function when you are using SSL/HTTPS.

if we take a look at your hack (relevant part)

$expire = time() + ( defined('XOOPS_AUTOLOGIN_LIFETIME') ? XOOPS_AUTOLOGIN_LIFETIME : 604800 ) ; // 1 week default
setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0);
// V3.1
$Ynj = date( 'Y-n-j' ) ;
setcookie('autologin_pass', $Ynj . ':' . md5( $user->getVar('pass') . XOOPS_DB_PASS . XOOPS_DB_PREFIX . $Ynj ) , $expire, $xoops_cookie_path, '', 0);

that's all well & good when using normal HTTP protocols.

but if you wish to use SSL/HTTPS, then there's the issue.

the issue is that in the setcookie() function, the parameter for $secure is set to '0'

in SSL this should be set to true or 1. because if $secure is not enabled when using SSL, it is possible to trick the browser into sending the secure cookie data over an insecure HTTP. setting this to 1 prevents the cookie from being sent over non-https.

this isn't just your hack though, this issue exists in all xoops cores that i know of. though i haven't checked Xcube, i did browse through legacy and noticed the secure parameter isn't set when using ssl there either.
Votes:11 Average:4.55
Previous post - Next post | Parent - No child | Posted on 2009/5/2 6:06
GIJOE  Gunnery Sergeant   Posts: 4110
hi vaughan.

Quote:

in SSL this should be set to true or 1. because if $secure is not enabled when using SSL, it is possible to trick the browser into sending the secure cookie data over an insecure HTTP. setting this to 1 prevents the cookie from being sent over non-https.

this isn't just your hack though, this issue exists in all xoops cores that i know of. though i haven't checked Xcube, i did browse through legacy and noticed the secure parameter isn't set when using ssl there either.

I can understand what you mean.
Though I think "secure parameter" of cookie is not an important risk than "autologin" itself , it can be modified a little bit secure like


$secure_bit = substr( XOOPS_URL , 0 , 5 ) == 'https' ? 1 : 0 ;


$expire = time() + ( defined('XOOPS_AUTOLOGIN_LIFETIME') ? XOOPS_AUTOLOGIN_LIFETIME : 604800 ) ; // 1 week default
setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0$secure_bit );
// V3.1
$Ynj = date( 'Y-n-j' ) ;
setcookie('autologin_pass', $Ynj . ':' . md5( $user->getVar('pass') . XOOPS_DB_PASS . XOOPS_DB_PREFIX . $Ynj ) , $expire, $xoops_cookie_path, '', 0$secure_bit);
Votes:7 Average:10.00
Previous post - Next post | Parent - No child | Posted on 2011/8/5 16:15
kenvinlee89  Private   Posts: 1
Thanks you for the post.
Hi guys, Im a newbie. Nice to join this forum.


__________________
Watch Kung Fu Panda 2 Online Free
Votes:2 Average:5.00

  Advanced search


Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!