FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » FUDforum Suggestions » forum security question
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
forum security question [message #38975] Wed, 12 September 2007 03:00 Go to next message
venus is currently offline  venus   Russian Federation
Messages: 30
Registered: August 2002
Location: Urals, Russia
Karma: 0
Member

just found that a number of my forum users use stolen cookies to login as admins. i've checked and found that:
- session cookie does not contain any info about ip-address ("ip validation" value does not work), so any stolen cookie can be used everywhere across network;
- session cookie does not contain any info about user password, so when admin user will change password, his stolen cookie still valid;
- cookie expiration time can be edited by user and will not be checked by forum software, so stolen cookies will be active as long as violator want.

are there any plans to change this things? i don't want to migrate my forums from fud script, but will be forced to do this due to security reasons.
Re: forum security question [message #38991 is a reply to message #38975] Wed, 12 September 2007 18:32 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
The forum only allows one active cookie per user, so if the admin is using the forum the old cookies/sessions will automatically be made invalid. The IP validation is unreliable because some ISPs like AOL change their user's IP all of the time.

Storing the password inside the cookie is very dangerous, since the hacker can simply steal it from there.


FUDforum Core Developer
Re: forum security question [message #38997 is a reply to message #38991] Thu, 13 September 2007 10:24 Go to previous messageGo to next message
venus is currently offline  venus   Russian Federation
Messages: 30
Registered: August 2002
Location: Urals, Russia
Karma: 0
Member

Ilia писал(а) Чтв, 13 Сентября 2007 00:32

The IP validation is unreliable because some ISPs like AOL change their user's IP all of the time.

we have "enable ip validation" checkbox in config. administrators who has AOL users can disable it. but checkbox value not used by forum now.


Ilia писал(а) Чтв, 13 Сентября 2007 00:32

Storing the password inside the cookie is very dangerous, since the hacker can simply steal it from there.

not password but just one-way encrypted hash like md5 for password change verification. it is safe.

right now anyone who has my cookie can login as admin any time and i can't do anything to prohibit this.
Re: forum security question [message #38998 is a reply to message #38997] Thu, 13 September 2007 15:25 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
You can enable IP validation already using the SESSION_IP_CHECK option.

FUDforum Core Developer
Re: forum security question [message #39001 is a reply to message #38998] Fri, 14 September 2007 15:40 Go to previous messageGo to next message
venus is currently offline  venus   Russian Federation
Messages: 30
Registered: August 2002
Location: Urals, Russia
Karma: 0
Member

Ilia писал(а) Чтв, 13 Сентября 2007 21:25

You can enable IP validation already using the SESSION_IP_CHECK option.

i have this option enabled. but
- logged as admin on PC1
- got a cookie with wireshark
- set cookie on PC2 (not logged before). and now PC2 logged with admin permissions.

3 days old cvs version installed.
Re: forum security question [message #39030 is a reply to message #39001] Sun, 16 September 2007 15:19 Go to previous message
Ilia is currently offline  Ilia   
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Do you have MULTI_HOST_LOGIN enabled by any chance?

FUDforum Core Developer
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Typo3 Integration
Next Topic: How long will you release new version ?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 20:43:05 GMT 2024

Total time taken to generate the page: 0.02559 seconds