Dear Web Wiz Family, big secure problem.

Post Reply

Page <12

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Gullanian Members Profile Find Members Posts Senior Member Joined: 04 January 2002 Location: England Status: Offline Points: 4373	Post Options Post Reply Quote Gullanian Report Post Thanks(0) Quote Reply Posted: 05 March 2006 at 11:57pm
	Wow! This is a pretty big security problem, I will test it myself later.

emr550m Members Profile Find Members Posts Newbie Joined: 05 March 2006 Status: Offline Points: 5	Post Options Post Reply Quote emr550m Report Post Thanks(0) Quote Reply Posted: 06 March 2006 at 12:45am
	I have some modifications to solve this problem. I can help either. But this is not your or web wiz forums fault. This is the browser developers and microsoft IIS 2s problem. I dont know if Apache servers able to Session hijacking but the will i think. I'll try to build a ISAPI filter to find out session hijackers. Cookie problem cannot be solved until a secure browser will be developed. I'll use session datas in y forum; I 'll modify the code in common.asp below 'Read in users ID number from the cookie strLoggedInUserCode = Trim(Mid(Request.Cookies(strCookieName)("UID"), 1, 44)) i'll change it something like that; dim tmp_secure tmp_secure=session.SessionID& request.ServerVariables("REMOTE_ADDR") securesession=session("securesession") if(tmp_secure=securesession)then strLoggedInUserCode = session("UID") else strLoggedInUserCode="" end if and in log_in_ser.asp; Response.Cookies(strCookieName)("UID") = strUserCode change this to; session("UID")= strUserCode session("securesession") = session.SessionID & request.ServerVariables("REMOTE_ADDR") this will translate the whole forum without cookie. It will run on session data. Dont forget to change the log_off_user.asp or you cannot log of until you close the browser window. Make the same change to admin/common.asp also.

WebWiz-Bruce Members Profile Find Members Posts Admin Group Web Wiz Developer Joined: 03 September 2001 Location: Bournemouth Status: Offline Points: 9844	Post Options Post Reply Quote WebWiz-Bruce Report Post Thanks(0) Quote Reply Posted: 06 March 2006 at 11:36am
	Sorry I have not seen this topic earlier, but it was posted in the wrong forum. I am aware of all these issues and Web Wiz Forums does have security in place to prevent or limit the effects as much as possible. If you select the auto login feature then an auto login cookie is set on your machine, which can course issues if a hacker gets hold of this cookie. To prevent and limit this problem as much as possiable a number of things are in place. Things to prevent this issue in 7.97 include:- Session variables are used for the admin section and the admin is forced to re-login to gain access to the admin section. Auto login/tracking cookie is updated in many parts, so the auto-login code is changed often Session cookies are used if auto-login is not selected Access users are informed to rename and protect their Access database so login data is not comprised Security filters are used to filter unsafe user input to try and prevent cookie data being stolen Passwords are 160bit one way encrypted Version 8 builds on this and adds more protection:- Version 8 beta 2 onwards uses it's own propriety session tracking system, with additional IP checking for extra protection (much like emr550m mentions) New propriety session system times out after 20 minutes of inactivity, meaning if the hacker does get hold of your session ID they have less than 20 minutes to get past the additional session ID security and use the session ID Session data held in application array for extra security (unless load balanced or web gardens are used in which case it's stored, slightly less securely, in the database) Auto-login cookie is still used as people demand this even though there is a small risk off the cookie being hijacked (it is recommended not to use auto-login) The admin section uses a second more secure login system that auto-login can not be used on and the admin must re-login to gain access to the admin section Security filters have been updated to filter more unsafe content to prevent cookie hijacking The auto-login cookie is updated more often At the end of the day the biggest issue here is that HTTP is a stateless protocol, meaning that the connection to the web server is not maintained and dropped as soon as the page loads in the browser window. This means the only way to track and identify users is to place some sort of identity seed on the users machine, in either the form of a cookie or a session ID. Until the system of how HTTP works is changed or a new protocol can be used for viewing web pages there will always be a risk that the identity seed placed on the users machine can be hijacked. These issues should be known to all web masters, and measures put in place to limit this type of thing as much as possible. Many months of on-going research, testing, and developing new and improved ways of limiting these inherent issues goes into Web Wiz Forums to make sure it is the most secure forum software around. Edited by -boRg- - 06 March 2006 at 12:30pm

emr550m Members Profile Find Members Posts Newbie Joined: 05 March 2006 Status: Offline Points: 5	Post Options Post Reply Quote emr550m Report Post Thanks(0) Quote Reply Posted: 06 March 2006 at 12:55pm
	Yes, stateles protocols are always big troble. But microsoft can do something about that. If it will check the connection ip and port of the visitors nobody can steal the sessions. I m working ISAPI filters right know. I'll try to monitor the connections an try to catch stealer. Teoritically this can be done. I'll write it here if I can done.

Quinox Members Profile Find Members Posts Newbie Joined: 10 February 2006 Status: Offline Points: 2	Post Options Post Reply Quote Quinox Report Post Thanks(0) Quote Reply Posted: 16 March 2006 at 7:27am
	You may not be able to steal cookies that way, but you sure can steal the session ID stored in the URL of clients with cookies disabled that way. By using a PHP or ASP to process an image and send it to the client, you can capture the HTTP_REFERER (which will have the query string in it) as well as REMOTE_USER for the IP. So it looks to me that it's safer to enable cookies on the forum than to block them.

WebWiz-Bruce Members Profile Find Members Posts Admin Group Web Wiz Developer Joined: 03 September 2001 Location: Bournemouth Status: Offline Points: 9844	Post Options Post Reply Quote WebWiz-Bruce Report Post Thanks(0) Quote Reply Posted: 16 March 2006 at 11:51am
	It will be safer to use cookies, and by default Web Wiz Forums will use cookies to store the session ID. Having the session appended to the URL will only happen on an individual user basis if cookies are detected as not working. As most people have cookies enabled the session ID will always be stored in a cookie, but there are always people for whatever reason can't get cookies to work, in which case they will have to use the slightly less secure method of appending the session ID to the URL. I personally would rather just go down the more secure root of only using only cookies, but the cookie issue some users get is such a pain for forum admins that some option for those that can't use cookies needs to be incorporated into the software. Edited by -boRg- - 16 March 2006 at 11:52am

Post Reply	Page <12

Forum Jump

Forum Permissions View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum