Jump to content

IPB 3 Security Vulnerability Question


ᴡᴅツ

Recommended Posts

Posted

I have a question concerning the admin panel. When you login you are given some sort of hash such as:

.../admin/index.php?adsess=28935k23jlkjljsdfl2323r&app=core&module=diagnostics

Is this some sort of md5 encryption? If I give this link to somebody else with a different IP, will they be able to get into the admin panel? I tried copy-pasting the same link into different browsers and was logged in automatically.

I assume this special number changes after sessions correct? During this interval, if I give you that link, will you be able to gain access to the admin panel without directly logging in?

Posted

[quote name='aliajouz' date='07 August 2009 - 10:02 PM' timestamp='1249696941' post='1840331']
I do not think that there is a probelm ,
I think that is only session ID and login will use cookies .

give me your site link to try login to your admin panel :D

Um, how about no.

I would consider it a vulnerability because if you accidentally give the link to your admin session and it's still current, then someone could use it to make an account or change your password via the members tab.

Posted

It validates your IP. Try going to your ACP through a proxy. It'll tell you:



There's no security hole there.

Your current IP address does not match the one in our records

Posted

[quote name='Gärrett' date='07 August 2009 - 10:21 PM' timestamp='1249698078' post='1840341']
It validates your IP. Try going to your ACP through a proxy. It'll tell you:



There's no security hole there.

I'd prefer it still match the session with some cookies, so that you can have different sessions across different browsers, but you can't use the same session in different browsers. Because then in an intranet setting where the IP's are the same, going to an external site, that's a big gaping hole right there.

Posted

[quote name='.Wolfie' date='07 August 2009 - 07:33 PM' timestamp='1249698804' post='1840346']
I'd prefer it still match the session with some cookies, so that you can have different sessions across different browsers, but you can't use the same session in different browsers. Because then in an intranet setting where the IP's are the same, going to an external site, that's a big gaping hole right there.

I'd swear it worked this way in 2.3. Not sure why (or even if) it's been changed in 3.0.

As far as I can tell, it does - I see an ipb3AcpSessionId cookie stored, and when I delete it, the ACP kicks me out.

Posted

[quote name='Gärrett' date='08 August 2009 - 03:41 PM' timestamp='1249699275' post='1840349']
I'd swear it worked this way in 2.3. Not sure why (or even if) it's been changed in 3.0.

As far as I can tell, it does - I see an ipb3AcpSessionId cookie stored, and when I delete it, the ACP kicks me out.


Actually, this morning, I was using the ACP and having some trouble with removing ban filters in IE8 (specifically, it doesn't work). I opened Chrome, pasted in the URL I had open in IE8, and happily removed the ban filters - without logging in again.

So no, the cookie isn't used for anything (unless Chrome actually uses IE cookies)

Posted

[quote name='Mat (Fusion Digital)' date='07 August 2009 - 10:47 PM' timestamp='1249699677' post='1840354']
Actually, this morning, I was using the ACP and having some trouble with removing ban filters in IE8 (specifically, it doesn't work). I opened Chrome, pasted in the URL I had open in IE8, and happily removed the ban filters - without logging in again.

So no, the cookie isn't used for anything (unless Chrome actually uses IE cookies)

I tested it myself (IPB3 that is), from FF 3.0.13 to IE8. I don't like it, it's a security risk. I mean honestly, for me, it's not a big issue as it's unlikely to ever affect me. But for a business environment, where security is an extreme issue, this could be seen as a major red flag that needs to be plugged ASAP.

Posted

[quote name='Archon Neo' date='07 August 2009 - 10:35 PM' timestamp='1249709739' post='1840390']
I don't know if this really is a security bug but we'll find out; this might just be a false alarm. In any event, you can add further precautions by enabling .htaccess and renaming the admin folder.

IPS did it :whistle:
http://forums.invisionpower.com/admin

IPS did it everywhere. And I don't blame them. I did too.

Posted

[quote name='Archon Neo' date='08 August 2009 - 07:35 AM' timestamp='1249709739' post='1840390']
I don't know if this really is a security bug but we'll find out; this might just be a false alarm. In any event, you can add further precautions by enabling .htaccess and renaming the admin folder.

IPS did it :whistle:
http://forums.invisionpower.com/admin


If you rename the admin folder, every time you upgrade you must return to rename as admin if you don't do this it will not work...

That's what happened to me...

  • Management
Posted

We specifically do NOT use cookies in the AdminCP so nothing about your session is stored on your computer.

Unless you actually edit init.php and disable IP checking in the AdminCP sending the URL to an ACP sessions is safe. Also, keep in mind, ACP sessions auto expire after a certain amount of inactivity.

Posted

[quote name='Lindseŷ' date='08 August 2009 - 10:49 AM' timestamp='1249742961' post='1840517']
Not really worth it. OS, anyone can have the exact same OS as the admin of that side

Site admin => Windows vista
Hacker => Windows vista

Matching browser and OS would help as far as intranets are concerned. Person on computer A is a dummy using IE, gives link to person B who is a smart person using FF, or person A is using XP and person B is using Linux. The overall idea would be to somehow match as much as possible (but without going nuts) the person using the ACP so that if the link is somehow shared in an environment where the IP matches, it would still ensure security.

Posted

Why would anyone be giving their admin URL to anyone anyways? Only people who need to know it is Admins, and they can log in authentically anyways. Giving someone who can't access it your URL is like asking to be violated in some way.

Posted

[quote name='.Wolfie' date='08 August 2009 - 04:06 PM' timestamp='1249743981' post='1840524']
Matching browser and OS would help as far as intranets are concerned. Person on computer A is a dummy using IE, gives link to person B who is a smart person using FF, or person A is using XP and person B is using Linux. The overall idea would be to somehow match as much as possible (but without going nuts) the person using the ACP so that if the link is somehow shared in an environment where the IP matches, it would still ensure security.

You shouldn't be accessing your acp in a "shared environment". Not just that but someone will not just be able to obtain your session id it would take a fair amount of incompetence on the admin's end for that to happen.

Posted

Sessions are used on pretty much any PHP-powered website and there is no fundamental security vulnerability in their use. That in the URL is just the session ID, and is IP matched. While things like browser signature checks could be added; they do not really add any security benefit.

Obviously, you would never give out a URL to a page in your ACP ;)

Posted

[quote name='.Wolfie' date='08 August 2009 - 03:24 PM' timestamp='1249741494' post='1840513']
Could it at least be set up to match the browser and O.S.?


I wouldn't say thats possible, as far as I can remember, every OS that gets installed on to a pc or mac, has different serials, the OS matches your motherboard (not that sure though)

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...