Catalyst Gaming
General => Suggestions => Topic started by: testing on July 11, 2011, 08:50:15 PM
-
I've talked with Rofl about this, but not sure if anything was done about it.
Currently, the website is vulnerable to session hijacking. With session hijacking, a hacker can gain access to any account registered on the site. It's a fairly simple process, and the hardest part would be cracking your salted sha1 hash.
Upon login, the client gains 2 cookies. Only 1 of these cookies is required to stay logged in [the PHPSESSID]. The cookie responsible for authenticating is the SMFCookie680, which, when decoded, clearly states the password in salted sha1. For example, mine is: ae01251fda9aa8400a457eb1d3ab3ac0581895de. Deleting the SMFCookie680 after logging in doesn't automatically log you out.
My suggestion is to keep the SMFCookie680, and make it so every time the user loads a new page, it checks if both the PHPSESSID cookie and the SMFCookie680 are what they're supposed to be. There are several articles that would help in implementing this. I find this article to be the most helpful:
http://phpsec.org/projects/guide/4.html
If you require more assistance let me know. This topic is aimed at the web developer.
-
The way and is coded makes it hard to do this but I will look into what I can do
-
If you need any help let me know. Don't mean to intrude or insult, just offering a helping hand to take care of some of the tedious work :P
-
Small bump but,
Sha1 is not an 'encryption' it is a hash. Hash can not be reversed or 'cracked'. It is near to impossible that anyone could get your password if you are smart enough to not make it any word or name in the English language.
-
Right, when working with web development I frequently interchange hash with encryption, my bad :3 I know it's improper.
Most users actually do pick plain words and maybe add a number at the end. There are many online resources to "decrypt" [de-hash, but that isn't much a buzz word] SHA-1 hashes. These sites have uberly large word lists containing the plain text and the SHA-1 hash. Since you use a salt, it's unlikely to find it on these sites, but one could still run it through a brute forcer like PasswordsPro or something.
<script>alert('XSS')</script>
-
More of a non-issue if you ask me.
-
Well, seeing as how it's still vulnerable, someone could just set up a cookie catcher and steal users sessions. That would be a pretty big issue then, now wouldn't it? Especially since the code for a cookie catcher is very public.
-
There's probably more back end verification going on then just the session cookies. SMF is a very popular forum software and I can assume that they've thought of something that trivial.