FUDforum: FUDforum Suggestions » forum security question

Home » FUDforum » FUDforum Suggestions » forum security question

Show: Today's Messages :: Polls :: Message Navigator

forum security question [message #38975]

Wed, 12 September 2007 03:00

venus

Messages: 30
Registered: August 2002
Location: Urals, Russia

Karma: 0

Member

just found that a number of my forum users use stolen cookies to login as admins. i've checked and found that:
- session cookie does not contain any info about ip-address ("ip validation" value does not work), so any stolen cookie can be used everywhere across network;
- session cookie does not contain any info about user password, so when admin user will change password, his stolen cookie still valid;
- cookie expiration time can be edited by user and will not be checked by forum software, so stolen cookies will be active as long as violator want.

are there any plans to change this things? i don't want to migrate my forums from fud script, but will be forced to do this due to security reasons.

Report message to a moderator

Re: forum security question [message #38991 is a reply to message #38975]

Wed, 12 September 2007 18:32

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

The forum only allows one active cookie per user, so if the admin is using the forum the old cookies/sessions will automatically be made invalid. The IP validation is unreliable because some ISPs like AOL change their user's IP all of the time.

Storing the password inside the cookie is very dangerous, since the hacker can simply steal it from there.

FUDforum Core Developer

Report message to a moderator

Re: forum security question [message #38997 is a reply to message #38991]

Thu, 13 September 2007 10:24

venus

Messages: 30
Registered: August 2002
Location: Urals, Russia

Karma: 0

Member

Ilia ��(�) ��, 13 �� 2007 00:32

The IP validation is unreliable because some ISPs like AOL change their user's IP all of the time.

we have "enable ip validation" checkbox in config. administrators who has AOL users can disable it. but checkbox value not used by forum now.

Ilia ��(�) ��, 13 �� 2007 00:32

Storing the password inside the cookie is very dangerous, since the hacker can simply steal it from there.

not password but just one-way encrypted hash like md5 for password change verification. it is safe.

right now anyone who has my cookie can login as admin any time and i can't do anything to prohibit this.

Report message to a moderator

Re: forum security question [message #38998 is a reply to message #38997]

Thu, 13 September 2007 15:25

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

You can enable IP validation already using the SESSION_IP_CHECK option.

FUDforum Core Developer

Report message to a moderator

Re: forum security question [message #39001 is a reply to message #38998]

Fri, 14 September 2007 15:40

venus

Messages: 30
Registered: August 2002
Location: Urals, Russia

Karma: 0

Member

Ilia ��(�) ��, 13 �� 2007 21:25

You can enable IP validation already using the SESSION_IP_CHECK option.

i have this option enabled. but
- logged as admin on PC1
- got a cookie with wireshark
- set cookie on PC2 (not logged before). and now PC2 logged with admin permissions.

3 days old cvs version installed.

Report message to a moderator

Re: forum security question [message #39030 is a reply to message #39001]

Sun, 16 September 2007 15:19

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

Do you have MULTI_HOST_LOGIN enabled by any chance?

FUDforum Core Developer

Report message to a moderator

Previous Topic:	Typo3 Integration
Next Topic:	How long will you release new version ?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu May 02 20:45:55 GMT 2024

Total time taken to generate the page: 0.02748 seconds