Re: Invision Power Board v2.1.4 - session hijacking

[Hans Wolters <hans.wolters () xs4all nl>]

Matt,

On 16-mrt-2006, at 15:55, matt () invisionpower com wrote:

> This report is ridiculous and quite frankly shows that the author  
> does not understand how IPB works.
>
> Yes, the author is correct in finding that if you: copy the user's  
> IP address, copy the user's user-agent and copy the user's session  
> ID then they can "hijack" your session.
>
> That's because, to all intents and purposes you are the same person.
>
> A stateless HTTP application HAS to authenticate against SOMETHING.
>
> This report is bogus. Feel free to relabel it "Stateless HTTP  
> authentication potential vulnerability" and remove it from Invision  
> Power Board's category.

You finally answered, that is something. We can continue this  
discussion here so you can't close
the topic like you did on the Invision Board site.

I will state again what the problem is:

1. Users behind a proxy that do not initiate the X-FORWARDED-FOR  
header will all have the same
    ipnumber.

2. A user using an OS that can close the Desktop session without  
killing the applications like the browser
    will possible still be logged in into the targeted Invision  
Board site.

Both situations will make it easier to hijack the session once it is  
installed on a server with tranparent sessions.

You stated that the user agent can be used for additional checks. Let  
me state that it is very easy to fake that. Once you can get the  
specific user to visit a site where the session id is disclosed you  
have both the session id and the user agent. At that moment you will  
be able to login as that user _if_ you have the same ipnumber (behind  
a proxy for instance).

Faking the user agent itself can be done with lots of tools or even  
at the command line.

As for hiding the session id, in certain situations it will keep  
showing up not matter what you do. Popups, javascript, etc.. You must  
be absolutely sure this will not take place.

One last thing, you might be right when you state that I do not know  
how the board works, however, I do not need to know since the session  
hijacking itself reveals how it works, you are not checking enough in  
certain situations. Since this is not open source I can't check it  
(not willing to buy a version if I will not use it).

Matt, as stated in the original posting I tried to contact you twice  
before I disclosed the information. You are making yourself  
ridiculous (to use the words you like to use) in front of all your  
customers. Be a good sport, think about how
you want to fix this and patch the board.

Kind regards,

Hans