[Simplog-devel] Security and isUserAuthorized

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Jason and Jeremy,

It just occurred to me that the way isUserAuthorized and is set up now, 
there is a potential security hole for protected blogs in a multiuser 
environment.  For protected blogs, we only check using:

      	elseif ( $this->blogType == 'protected ' ) {
             	if ( isset ($_SESSION['login']) ) {
            	     return true;
             	}
	}

First, this will give access to a blog user on blogid=1 to a protected 
blogid=2, even if the user isn't on the blog_acl.  More seriously, if a 
user (or hacker) has access to anything else on the same server, she 
can write a web application that creates a session with the session 
variable named "login", and this statement will evaluate to true.  I 
haven't actually tried this to break into a protected blog (because I'm 
still have isUserAuthorized inactivated on my server for other reasons 
related to our need to standardize what we all mean by protected and 
private, as discussed before), but I use something like this for 
administration controlled by Simplog - I have scripts in my websites 
that ask whether a user is currently logged into Simplog.  If this hole 
really exists, then it may also be possible to break into private blogs 
too, as long as the attacker knows/guesses the login of the 
administrator.

I think that this is a general security issue with $_SESSION, and from 
a quick Google, it looks like it has been discussed before.  I haven't 
digested the discussion thoroughly, but it seems like a stronger 
session-based security system would have to cache a session_id when it 
is created by Simplog and recheck it each time it's invoked in order to 
assure that the session isn't a fake.  I don't have a problem with 
other applications knowing that I'm logged into Simplog (in fact I use 
that property), but we don't want spoofing to be this easy.

Note that as far as I can tell, this is not a problem that goes between 
hosts or even virtual hosts.  However, in the kind of academic 
environment I work in, hacking attacks are frequent - I've had two 
linux servers crash due to attacks in the past two years - so I tend to 
be paranoid.

Jim

p.s.  I vacillated about sending this out to the general list, as it 
basically tells how to break in.  However, in the end, I decided that a 
hacker who wanted to do this would already be able to figure it out by 
just looking at the code, and that doing so would be easier than 
looking through the archives of the developer listserv.  Seems like it 
would be better to draw on the experience and ideas of the others on 
the list.