IPB 3 Security Vulnerability Question

[ᴡᴅツ]

I have a question concerning the admin panel. When you login you are given some sort of hash such as:

.../admin/index.php?adsess=28935k23jlkjljsdfl2323r&app=core&module=diagnostics

Is this some sort of md5 encryption? If I give this link to somebody else with a different IP, will they be able to get into the admin panel? I tried copy-pasting the same link into different browsers and was logged in automatically.

I assume this special number changes after sessions correct? During this interval, if I give you that link, will you be able to gain access to the admin panel without directly logging in?

[Wolfie]

I'd report this in the bug tracker, I don't think you should be able to share the session without cookies corresponding to it.

[Ajouz ♞]

I do not think that there is a probelm ,
I think that is only session ID and login will use cookies .

give me your site link to try login to your admin panel :D

[envonge]

I believe it tries matching by ip address.

[Wolfie]

[quote name='aliajouz' date='07 August 2009 - 10:02 PM' timestamp='1249696941' post='1840331']
I do not think that there is a probelm ,
I think that is only session ID and login will use cookies .

give me your site link to try login to your admin panel :D

Um, how about no.

I would consider it a vulnerability because if you accidentally give the link to your admin session and it's still current, then someone could use it to make an account or change your password via the members tab.

[atsaunier]

hmm i never noticed that, yea id submit this as it could be a security risk

[Guest]

It validates your IP. Try going to your ACP through a proxy. It'll tell you:



There's no security hole there.

Your current IP address does not match the one in our records

[Wolfie]

[quote name='Gärrett' date='07 August 2009 - 10:21 PM' timestamp='1249698078' post='1840341']
It validates your IP. Try going to your ACP through a proxy. It'll tell you:



There's no security hole there.

I'd prefer it still match the session with some cookies, so that you can have different sessions across different browsers, but you can't use the same session in different browsers. Because then in an intranet setting where the IP's are the same, going to an external site, that's a big gaping hole right there.

[Guest]

[quote name='.Wolfie' date='07 August 2009 - 07:33 PM' timestamp='1249698804' post='1840346']
I'd prefer it still match the session with some cookies, so that you can have different sessions across different browsers, but you can't use the same session in different browsers. Because then in an intranet setting where the IP's are the same, going to an external site, that's a big gaping hole right there.

I'd swear it worked this way in 2.3. Not sure why (or even if) it's been changed in 3.0.

As far as I can tell, it does - I see an ipb3AcpSessionId cookie stored, and when I delete it, the ACP kicks me out.

[Mat Barrie]

[quote name='Gärrett' date='08 August 2009 - 03:41 PM' timestamp='1249699275' post='1840349']
I'd swear it worked this way in 2.3. Not sure why (or even if) it's been changed in 3.0.

As far as I can tell, it does - I see an ipb3AcpSessionId cookie stored, and when I delete it, the ACP kicks me out.


Actually, this morning, I was using the ACP and having some trouble with removing ban filters in IE8 (specifically, it doesn't work). I opened Chrome, pasted in the URL I had open in IE8, and happily removed the ban filters - without logging in again.

So no, the cookie isn't used for anything (unless Chrome actually uses IE cookies)

[Wolfie]

[quote name='Mat (Fusion Digital)' date='07 August 2009 - 10:47 PM' timestamp='1249699677' post='1840354']
Actually, this morning, I was using the ACP and having some trouble with removing ban filters in IE8 (specifically, it doesn't work). I opened Chrome, pasted in the URL I had open in IE8, and happily removed the ban filters - without logging in again.

So no, the cookie isn't used for anything (unless Chrome actually uses IE cookies)

I tested it myself (IPB3 that is), from FF 3.0.13 to IE8. I don't like it, it's a security risk. I mean honestly, for me, it's not a big issue as it's unlikely to ever affect me. But for a business environment, where security is an extreme issue, this could be seen as a major red flag that needs to be plugged ASAP.

[Wolfie]

Of course for me, I dare someone to try to hack into http://n-raged.com/forums/admin/ since I doubt they'll gain anything from it.

[wepfijweoifj]

It's been this way since 1.3 or even earlier...

[ᴡᴅツ]

I don't know if this really is a security bug but we'll find out; this might just be a false alarm. In any event, you can add further precautions by enabling .htaccess and renaming the admin folder.

IPS did it :whistle:
http://forums.invisionpower.com/admin

[Guest]

[quote name='Archon Neo' date='07 August 2009 - 10:35 PM' timestamp='1249709739' post='1840390']
I don't know if this really is a security bug but we'll find out; this might just be a false alarm. In any event, you can add further precautions by enabling .htaccess and renaming the admin folder.

IPS did it :whistle:
http://forums.invisionpower.com/admin

IPS did it everywhere. And I don't blame them. I did too.

[pisaldi]

[quote name='Archon Neo' date='08 August 2009 - 07:35 AM' timestamp='1249709739' post='1840390']
I don't know if this really is a security bug but we'll find out; this might just be a false alarm. In any event, you can add further precautions by enabling .htaccess and renaming the admin folder.

IPS did it :whistle:
http://forums.invisionpower.com/admin


If you rename the admin folder, every time you upgrade you must return to rename as admin if you don't do this it will not work...

That's what happened to me...

[Charles]

We specifically do NOT use cookies in the AdminCP so nothing about your session is stored on your computer.

Unless you actually edit init.php and disable IP checking in the AdminCP sending the URL to an ACP sessions is safe. Also, keep in mind, ACP sessions auto expire after a certain amount of inactivity.

[Wolfie]

Could it at least be set up to match the browser and O.S.?

[Lindsey_]

Not really worth it. OS, anyone can have the exact same OS as the admin of that side

Site admin => Windows vista
Hacker => Windows vista

[Wolfie]

[quote name='Lindseŷ' date='08 August 2009 - 10:49 AM' timestamp='1249742961' post='1840517']
Not really worth it. OS, anyone can have the exact same OS as the admin of that side

Site admin => Windows vista
Hacker => Windows vista

Matching browser and OS would help as far as intranets are concerned. Person on computer A is a dummy using IE, gives link to person B who is a smart person using FF, or person A is using XP and person B is using Linux. The overall idea would be to somehow match as much as possible (but without going nuts) the person using the ACP so that if the link is somehow shared in an environment where the IP matches, it would still ensure security.

[IP.iBaLLiN]

Wolfie, there is a feature to match browser and OS in the admin CP, I believe, right below the "Match IP" setting.

[Malefickus]

Why would anyone be giving their admin URL to anyone anyways? Only people who need to know it is Admins, and they can log in authentically anyways. Giving someone who can't access it your URL is like asking to be violated in some way.

[envonge]

[quote name='.Wolfie' date='08 August 2009 - 04:06 PM' timestamp='1249743981' post='1840524']
Matching browser and OS would help as far as intranets are concerned. Person on computer A is a dummy using IE, gives link to person B who is a smart person using FF, or person A is using XP and person B is using Linux. The overall idea would be to somehow match as much as possible (but without going nuts) the person using the ACP so that if the link is somehow shared in an environment where the IP matches, it would still ensure security.

You shouldn't be accessing your acp in a "shared environment". Not just that but someone will not just be able to obtain your session id it would take a fair amount of incompetence on the admin's end for that to happen.

[Mark]

Sessions are used on pretty much any PHP-powered website and there is no fundamental security vulnerability in their use. That in the URL is just the session ID, and is IP matched. While things like browser signature checks could be added; they do not really add any security benefit.

Obviously, you would never give out a URL to a page in your ACP ;)

[Andy Rixon]

[quote name='.Wolfie' date='08 August 2009 - 03:24 PM' timestamp='1249741494' post='1840513']
Could it at least be set up to match the browser and O.S.?


I wouldn't say thats possible, as far as I can remember, every OS that gets installed on to a pc or mac, has different serials, the OS matches your motherboard (not that sure though)