ᴡᴅツ Posted August 8, 2009 Share Posted August 8, 2009 I have a question concerning the admin panel. When you login you are given some sort of hash such as: .../admin/index.php?adsess=28935k23jlkjljsdfl2323r&app=core&module=diagnostics Is this some sort of md5 encryption? If I give this link to somebody else with a different IP, will they be able to get into the admin panel? I tried copy-pasting the same link into different browsers and was logged in automatically. I assume this special number changes after sessions correct? During this interval, if I give you that link, will you be able to gain access to the admin panel without directly logging in? Link to comment Share on other sites More sharing options...
Wolfie Posted August 8, 2009 Share Posted August 8, 2009 I'd report this in the bug tracker, I don't think you should be able to share the session without cookies corresponding to it. Link to comment Share on other sites More sharing options...
Ajouz ♞ Posted August 8, 2009 Share Posted August 8, 2009 I do not think that there is a probelm , I think that is only session ID and login will use cookies . give me your site link to try login to your admin panel :D Link to comment Share on other sites More sharing options...
envonge Posted August 8, 2009 Share Posted August 8, 2009 I believe it tries matching by ip address. Link to comment Share on other sites More sharing options...
Wolfie Posted August 8, 2009 Share Posted August 8, 2009 [quote name='aliajouz' date='07 August 2009 - 10:02 PM' timestamp='1249696941' post='1840331'] I do not think that there is a probelm , I think that is only session ID and login will use cookies . give me your site link to try login to your admin panel :D Um, how about no. I would consider it a vulnerability because if you accidentally give the link to your admin session and it's still current, then someone could use it to make an account or change your password via the members tab. Link to comment Share on other sites More sharing options...
atsaunier Posted August 8, 2009 Share Posted August 8, 2009 hmm i never noticed that, yea id submit this as it could be a security risk Link to comment Share on other sites More sharing options...
Guest Posted August 8, 2009 Share Posted August 8, 2009 It validates your IP. Try going to your ACP through a proxy. It'll tell you: There's no security hole there.Your current IP address does not match the one in our records Link to comment Share on other sites More sharing options...
Wolfie Posted August 8, 2009 Share Posted August 8, 2009 [quote name='Gärrett' date='07 August 2009 - 10:21 PM' timestamp='1249698078' post='1840341'] It validates your IP. Try going to your ACP through a proxy. It'll tell you: There's no security hole there. I'd prefer it still match the session with some cookies, so that you can have different sessions across different browsers, but you can't use the same session in different browsers. Because then in an intranet setting where the IP's are the same, going to an external site, that's a big gaping hole right there. Link to comment Share on other sites More sharing options...
Guest Posted August 8, 2009 Share Posted August 8, 2009 [quote name='.Wolfie' date='07 August 2009 - 07:33 PM' timestamp='1249698804' post='1840346'] I'd prefer it still match the session with some cookies, so that you can have different sessions across different browsers, but you can't use the same session in different browsers. Because then in an intranet setting where the IP's are the same, going to an external site, that's a big gaping hole right there. I'd swear it worked this way in 2.3. Not sure why (or even if) it's been changed in 3.0. As far as I can tell, it does - I see an ipb3AcpSessionId cookie stored, and when I delete it, the ACP kicks me out. Link to comment Share on other sites More sharing options...
Mat Barrie Posted August 8, 2009 Share Posted August 8, 2009 [quote name='Gärrett' date='08 August 2009 - 03:41 PM' timestamp='1249699275' post='1840349'] I'd swear it worked this way in 2.3. Not sure why (or even if) it's been changed in 3.0. As far as I can tell, it does - I see an ipb3AcpSessionId cookie stored, and when I delete it, the ACP kicks me out. Actually, this morning, I was using the ACP and having some trouble with removing ban filters in IE8 (specifically, it doesn't work). I opened Chrome, pasted in the URL I had open in IE8, and happily removed the ban filters - without logging in again. So no, the cookie isn't used for anything (unless Chrome actually uses IE cookies) Link to comment Share on other sites More sharing options...
Wolfie Posted August 8, 2009 Share Posted August 8, 2009 [quote name='Mat (Fusion Digital)' date='07 August 2009 - 10:47 PM' timestamp='1249699677' post='1840354'] Actually, this morning, I was using the ACP and having some trouble with removing ban filters in IE8 (specifically, it doesn't work). I opened Chrome, pasted in the URL I had open in IE8, and happily removed the ban filters - without logging in again. So no, the cookie isn't used for anything (unless Chrome actually uses IE cookies) I tested it myself (IPB3 that is), from FF 3.0.13 to IE8. I don't like it, it's a security risk. I mean honestly, for me, it's not a big issue as it's unlikely to ever affect me. But for a business environment, where security is an extreme issue, this could be seen as a major red flag that needs to be plugged ASAP. Link to comment Share on other sites More sharing options...
Wolfie Posted August 8, 2009 Share Posted August 8, 2009 Of course for me, I dare someone to try to hack into http://n-raged.com/forums/admin/ since I doubt they'll gain anything from it. Link to comment Share on other sites More sharing options...
wepfijweoifj Posted August 8, 2009 Share Posted August 8, 2009 It's been this way since 1.3 or even earlier... Link to comment Share on other sites More sharing options...
ᴡᴅツ Posted August 8, 2009 Author Share Posted August 8, 2009 I don't know if this really is a security bug but we'll find out; this might just be a false alarm. In any event, you can add further precautions by enabling .htaccess and renaming the admin folder. IPS did it :whistle:http://forums.invisionpower.com/admin Link to comment Share on other sites More sharing options...
Guest Posted August 8, 2009 Share Posted August 8, 2009 [quote name='Archon Neo' date='07 August 2009 - 10:35 PM' timestamp='1249709739' post='1840390'] I don't know if this really is a security bug but we'll find out; this might just be a false alarm. In any event, you can add further precautions by enabling .htaccess and renaming the admin folder. IPS did it :whistle:http://forums.invisionpower.com/admin IPS did it everywhere. And I don't blame them. I did too. Link to comment Share on other sites More sharing options...
pisaldi Posted August 8, 2009 Share Posted August 8, 2009 [quote name='Archon Neo' date='08 August 2009 - 07:35 AM' timestamp='1249709739' post='1840390'] I don't know if this really is a security bug but we'll find out; this might just be a false alarm. In any event, you can add further precautions by enabling .htaccess and renaming the admin folder. IPS did it :whistle:http://forums.invisionpower.com/admin If you rename the admin folder, every time you upgrade you must return to rename as admin if you don't do this it will not work... That's what happened to me... Link to comment Share on other sites More sharing options...
Management Charles Posted August 8, 2009 Management Share Posted August 8, 2009 We specifically do NOT use cookies in the AdminCP so nothing about your session is stored on your computer. Unless you actually edit init.php and disable IP checking in the AdminCP sending the URL to an ACP sessions is safe. Also, keep in mind, ACP sessions auto expire after a certain amount of inactivity. Link to comment Share on other sites More sharing options...
Wolfie Posted August 8, 2009 Share Posted August 8, 2009 Could it at least be set up to match the browser and O.S.? Link to comment Share on other sites More sharing options...
Lindsey_ Posted August 8, 2009 Share Posted August 8, 2009 Not really worth it. OS, anyone can have the exact same OS as the admin of that side Site admin => Windows vista Hacker => Windows vista Link to comment Share on other sites More sharing options...
Wolfie Posted August 8, 2009 Share Posted August 8, 2009 [quote name='Lindseŷ' date='08 August 2009 - 10:49 AM' timestamp='1249742961' post='1840517'] Not really worth it. OS, anyone can have the exact same OS as the admin of that side Site admin => Windows vista Hacker => Windows vista Matching browser and OS would help as far as intranets are concerned. Person on computer A is a dummy using IE, gives link to person B who is a smart person using FF, or person A is using XP and person B is using Linux. The overall idea would be to somehow match as much as possible (but without going nuts) the person using the ACP so that if the link is somehow shared in an environment where the IP matches, it would still ensure security. Link to comment Share on other sites More sharing options...
IP.iBaLLiN Posted August 8, 2009 Share Posted August 8, 2009 Wolfie, there is a feature to match browser and OS in the admin CP, I believe, right below the "Match IP" setting. Link to comment Share on other sites More sharing options...
Malefickus Posted August 8, 2009 Share Posted August 8, 2009 Why would anyone be giving their admin URL to anyone anyways? Only people who need to know it is Admins, and they can log in authentically anyways. Giving someone who can't access it your URL is like asking to be violated in some way. Link to comment Share on other sites More sharing options...
envonge Posted August 8, 2009 Share Posted August 8, 2009 [quote name='.Wolfie' date='08 August 2009 - 04:06 PM' timestamp='1249743981' post='1840524'] Matching browser and OS would help as far as intranets are concerned. Person on computer A is a dummy using IE, gives link to person B who is a smart person using FF, or person A is using XP and person B is using Linux. The overall idea would be to somehow match as much as possible (but without going nuts) the person using the ACP so that if the link is somehow shared in an environment where the IP matches, it would still ensure security. You shouldn't be accessing your acp in a "shared environment". Not just that but someone will not just be able to obtain your session id it would take a fair amount of incompetence on the admin's end for that to happen. Link to comment Share on other sites More sharing options...
Mark Posted August 8, 2009 Share Posted August 8, 2009 Sessions are used on pretty much any PHP-powered website and there is no fundamental security vulnerability in their use. That in the URL is just the session ID, and is IP matched. While things like browser signature checks could be added; they do not really add any security benefit. Obviously, you would never give out a URL to a page in your ACP ;) Link to comment Share on other sites More sharing options...
Andy Rixon Posted August 8, 2009 Share Posted August 8, 2009 [quote name='.Wolfie' date='08 August 2009 - 03:24 PM' timestamp='1249741494' post='1840513'] Could it at least be set up to match the browser and O.S.? I wouldn't say thats possible, as far as I can remember, every OS that gets installed on to a pc or mac, has different serials, the OS matches your motherboard (not that sure though) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.