News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

SMF 2.0.11 account fixation "attack"

Started by qc, May 02, 2016, 07:27:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

qc

May 02, 2016, 07:27:14 PM
While looking into the previous issue, I stumbled over the following: http://quizcommunity.de/login.html (click on it while logged out)

There is no CSRF token validation on the login form which enables malicious users to log another user into a predefined user account by making that other user click on a link (or via hidden iframe and whatnot...)

All sensitive data posted or send (e. g. PMs) from within the predefined account can now be read by both users.

This is nothing big, but could be misused by the occasional troll every forum has to deal with. A fix would require a CSRF token to be validated on index.php?action=login2. I noticed that there is already a CSRF token on this sites login form, but it seems to be ignored.
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

qc

#1
May 03, 2016, 01:07:14 AM
Actually, this is an issue that should be fixed since it increases the attack surface of SMF quite a bit (to the active SMF developers: see my privately reported issue). It allows for a 'real' session fixation attack in the sense that the PHPSESSID of the to-be-logged-in victim is given by the attacker.
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

qc

#2
October 05, 2016, 04:05:30 PM
This issue is still present in SMF 2.0.12
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)
Print
Go Up Pages1
User actions
Advertisement: