Simple Machines Forum Session Fixation Vulnerability

lars_n · May 09, 2007, 03:30:36 AM

Hellos all

Is there allready a patch for that? If not, when will it be available? Thanks.

Source: http://secunia.com/advisories/25139/

Quote
Description:
David Vieira-Kurz has discovered a vulnerability in Simple Machines Forum, which can be exploited by malicious people to conduct session fixation attacks.

The vulnerability is caused due to an error in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.

The vulnerability is confirmed in version 1.1.2. Other versions may also be affected.

Solution:
Do not follow links from untrusted sources.

Solution Status: Unpatched

Sarge · May 09, 2007, 04:08:34 AM

Quote from: lars_n on May 09, 2007, 03:30:36 AM
Is there allready a patch for that? If not, when will it be available? Thanks.

http://www.majorsecurity.de/index_2.php?major_rls=major_rls47

QuoteWorkaround:
============
1. Do not accept session identifiers from GET / POST variables.

2.Regenerate SID on each request.

3. Accept only server generated SID:
One way to improve security is to not accept session identifiers not generated by server.

if ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) {
session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['SERVER_GENERATED_SID'] = true;

History/Timeline
================
30.04.2007 discovery of the vulnerability
03.04.2007 contacted the vendor
04.04.2007 working patch sent to the vendor
05.04.2007 advisory is written
05.04.2007 advisory released

lars_n · May 09, 2007, 04:12:47 AM

Uhms ...... kk thanks

lars_n · May 09, 2007, 04:35:26 AM

Just wonder because releasedate of this advisory is :

QuoteRelease Date: 2007-05-07

webfan · May 09, 2007, 05:49:11 AM

Quoteif ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) {
session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['SERVER_GENERATED_SID'] = true;

Where is the best place in SMF to insert the code?

thx

mfg

EDIT: I added the code at the top of LogInOut.php, is that ok?

青山素子 · May 09, 2007, 10:29:19 AM

This is a difficult thing to trigger. To my understanding you'd need to create a valid session ID, PHP would need to allow passing sessions around as variables, and a few other things to accomplish this (being on the same network, using the exact same browser, etc makes things a lot easier).

There should be a fix out for this soon (likely as part of the 1.1.3 update).

VaKo · May 10, 2007, 11:10:12 AM

In the mean time is there an easy way of applying the work around?

Sarge · May 10, 2007, 12:20:17 PM

A security patch would be nice, like the one for 1.1 RC3. Likewise, the SMF version doesn't have to change.

Kindred · May 15, 2007, 10:25:37 AM

this is, for the most part, not a real issue. One would have to have access to either the server or the user already, in order to set the session ID...

metallica48423 · May 16, 2007, 04:34:39 PM

QuoteA security patch would be nice, like the one for 1.1 RC3. Likewise, the SMF version doesn't have to change.

As motoko-chan stated, There should be something out soon. There is likely more to it than just that, to warrant a 1.1.3 release, including other bugfixes.

Like motoko said, soon

Charlie82 · May 28, 2007, 05:04:12 AM

Quote from: webfan on May 09, 2007, 05:49:11 AM
Quoteif ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) {
session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['SERVER_GENERATED_SID'] = true;
Where is the best place in SMF to insert the code?

thx

mfg

EDIT: I added the code at the top of LogInOut.php, is that ok?

Is then that ok?

kill3r · June 17, 2007, 03:55:31 PM

where can i add this code. someone plz help

if ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) {
session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['SERVER_GENERATED_SID'] = true;

青山素子 · June 17, 2007, 07:25:02 PM

This is a minor problem, and there will be a fully-tested and working solution out soon.

As a note, the solution proposed in the report has been tested and it was found to not fully prevent the problem described.

Quote:

Quote from: Motoko-chan on May 09, 2007, 10:29:19 AM
This is a difficult thing to trigger. To my understanding you'd need to create a valid session ID, PHP would need to allow passing sessions around as variables, and a few other things to accomplish this (being on the same network, using the exact same browser, etc makes things a lot easier).

kill3r · June 21, 2007, 12:54:19 AM

Quote from: Motoko-chan on June 17, 2007, 07:25:02 PM
This is a minor problem, and there will be a fully-tested and working solution out soon.

As a note, the solution proposed in the report has been tested and it was found to not fully prevent the problem described.

thanks for the prompt reply, ll wait for the update.

News:

Simple Machines Forum Session Fixation Vulnerability

lars_n

lars_n

lars_n