PROBLEM: Dealing with phpBB Cookies (Phase II)

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
eech55
Registered User
Posts: 37
Joined: Wed Nov 19, 2003 5:32 pm

PROBLEM: Dealing with phpBB Cookies (Phase II)

Post by eech55 »

here is phpbb's cookie

Code: Select all

a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22670b14728ad9902aecba32e22fa4f6bd%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
How does phpbb understand the following:-
:arrow: who is the user assigned to the cookie
:arrow: preventing or making faking cookies hard


What does all this fancy code mean such as %?
Could some one translate all this URL code into normal code which we understand?


waiting to hear from you..

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29257
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Post by Marshalrusty »

Can I ask what you are trying to accomplish?
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

Code: Select all

a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22670b14728xxxxxxxxxxxxxxx2fa4f6bd%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D 
decodes to

Code: Select all

a:2:{s:11:"autologinid";s:32:"670b14728xxxxxxxxxxxxxxx2fa4f6bd";s:6:"userid";s:1:"2";}
see the "2" thats user 2.

670b14728ad9902aecba32e22fa4f6bd is the md5 hash password stored in the DB associated with that user.
Last edited by Taipo on Mon Oct 31, 2005 4:16 am, edited 1 time in total.

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

preventing or making faking cookies hard


upgrade to the latest version of phpBB which has a fix to that cookie exploit found in earlier versions.

ps if your board is not up to date, and that is in fact your own hash password, I would suggest you at least remove the md5 hash from your previous post, Ill remove it from mine too.

AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Re: PROBLEM: Dealing with phpBB Cookies (Phase II)

Post by AnthraX101 »

eech55 wrote: here is phpbb's cookie

Code: Select all

[snip]
How does phpbb understand the following:-
:arrow: who is the user assigned to the cookie
:arrow: preventing or making faking cookies hard


What does all this fancy code mean such as %?
Could some one translate all this URL code into normal code which we understand?


waiting to hear from you..


This is a serialized array from php. Specifically it contains two keys, "autologinid" and "userid". Both are of string type, the autologin hash key has a value of "670b14728ad9902aecba32e22fa4f6bd", whereas the value of "userid" is 2.

As for how that works, well it depends on if you are on versions <2.0.18, or if you are on 2.0.18.

For versions <2.0.18 (as it appears you are on):

The userid variable is the user id of the account to use. The autologinid is an md5 of the users password. This is compared to the stored MD5 value in the users table, if they match, the user is logged in.

For version 2.0.18:

The userid variable is the user id of the account to use. The autologinid is the md5 of a psuedorandom value, generated when the user wants to auto login. This is compared to the MD5 of the MD5 of the PRN. This means whatever autologinid the user has is sent through MD5 then compared to the stored value in the database. Every time the user logs on, a new autologin id is generated.

The new system has two advantages. The first is that a variation of the users password is no longer stored on the machine. The second is that a read only database compromise won't allow an attacker to take over an account (without brute forcing the md5 hash).

A couple other notes, as far as I know, this does not fix any exploits in phpBB, it simply is a more secure way of doing it and helping to hamper any exploit attempts. A second is that he already gave out that password to a test account in another thread. ;)

Hope this helps.

AnthraX101

Taipo
Registered User
Posts: 174
Joined: Fri Jan 07, 2005 9:25 pm
Contact:

Post by Taipo »

good explanation!

Locked

Return to “2.0.x Support Forum”