WebApp Sec mailing list archives
Re: Maia Mailgaurd http://www.renaissoft.com/maia/
From: Chuck <chuck.lists () gmail com>
Date: Mon, 18 Jul 2005 09:20:41 -0400
Responses below.... On 7/16/05, Christopher Canova <ccanova () reachone com> wrote:
I'm doing my best to assist a group with an open source project that uses amavisd-new and spamassassin called Maia Mailgaurd (http://www.renaissoft.com/maia/). It's a spam and virus management system written in Perl and PHP.
Before I get to your specific questions, I'd like to point out the biggest security issue you are going to face in this system. You are taking completely untrusted input (emails, including those with viruses, etc) and displaying it to the user in a web browser. You will need to be very very careful that you don't allow an attacker to send a specially crafted email that will inject PHP, Perl, etc code into your server or inject Javascript, Java, ActiveX, etc into your user's browser (the later is known as cross-site scripting). This is not impossible, but can be difficult. Look at all the web applications that have XSS flaws reported every day on mailing lists. Remember that the attacker may be one of your users who will know a lot about how the system is set up and that the application is open source so the attacker can easily trace the application looking for flaws, so you need to make sure that the code that processes the emails is airtight.
We are currently in a discussion about using the PHP Session ID in the URL and whether to strictly enforce cookies to avoid session hijacking. The fear is that we could possibly be passing along the referral information to a spammer willing to exploit such a vuln. Some of the discussion is related closely to this mailing list, so I wanted to see what everyone thought about it.
What are the risks to enforcing session handling using cookies? Will it break functionality for many people? Are the risks of including the SID in the URL worse than cookies?
In short, you are better off putting the session id in a cookie than putting it in the URL. You are right that referrer headers are one way that a URL session id can leak. It may also be logged in proxies or firewalls. There is also the problem that users do not expect sensitive information in the URL. They may send the URL to someone in an IM or email or even post it on a mailing list or blog, not realizing that it will give whoever follows the URL access to their account (at least until the session ID expires). Finally, I don't like the idea of displaying the session ID on the screen. It makes the user vulnerable to shoulder surfing and again, they may send someone or post a screenshot of the application not realizing that the session ID is there in the URL. As for breaking functionality for some people, I am not sure how many people that will affect. I dislike cookies as much as anyone (far too many sites use them that don't need to), but when you have a web site that you log in to, they are the best solution. There are some people that surf the web from a "regular computer" with cookies disabled, but they are usually advanced users that can handle adding the site to their exceptions list. The more common problem with requiring cookies is that some smartphones and other lightweight browsers may not support them (or support them properly), so if you anticipate users using these devices this is an issue you should look into further. You can may want to consider falling back to using the session ID in the URL if cookies are not enabled on the browser. I'd recommend you read up on secure coding practices with Perl and PHP. There are a lot of resources out there and a lot of issues to consider, including making sure that an attacker / user cannot guess another user's session ID. Good luck. Chuck
Current thread:
- Maia Mailgaurd http://www.renaissoft.com/maia/ Christopher Canova (Jul 16)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- RE: Maia Mailgaurd http://www.renaissoft.com/maia/ Guillaume Vissian (Jul 18)
- PHP Session ID's focus (Jul 19)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 21)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Andy bentley (Jul 18)