Sensitive Data in Querystring

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Anti-Spam Guide
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
saint_voland
Registered User
Posts: 4
Joined: Wed Aug 15, 2012 12:18 pm

Sensitive Data in Querystring

Post by saint_voland » Wed Aug 15, 2012 12:25 pm

The PhpBB session id is transmitted through URL querystring in a GET request.

http://localhost/phpBB2/viewforum.php?f ... e1646d870f[/b]

version 3.0.10

is anybody knows how to avoid it????

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Sensitive Data in Querystring

Post by Erik Frèrejean » Wed Aug 15, 2012 12:32 pm

Fixing incorrect cookie settings

However, phpBB doesn't just blindly trusts the query string. It checks for other parameters (browser, ip,) to verify the session. Therefore you can't simply highjack a session with just the SID.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

saint_voland
Registered User
Posts: 4
Joined: Wed Aug 15, 2012 12:18 pm

Re: Sensitive Data in Querystring

Post by saint_voland » Wed Aug 15, 2012 1:17 pm

thanks Erik for quick reply!! I think so, but our security team who sent me results has another opinion. They suggested to replace GET requests with POST.. it's a huge effort cause all data across the forum is sent via GET requests. I think it useless activity.

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Sensitive Data in Querystring

Post by Erik Frèrejean » Wed Aug 15, 2012 1:20 pm

They are free to file a report in our security tracker so that a member of our security team can review it.
However, simply correct your cookie settings. phpBB only uses the SID parameter if it can't write a cookie.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

saint_voland
Registered User
Posts: 4
Joined: Wed Aug 15, 2012 12:18 pm

Re: Sensitive Data in Querystring

Post by saint_voland » Wed Aug 15, 2012 2:15 pm

Erik, sid appears in URL parameters in first two requests. When the sid's value in cookies are equal with sid's value in URL, the last one disappears from URL parameters. Is it correct behavior of the system?

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Sensitive Data in Querystring

Post by Erik Frèrejean » Wed Aug 15, 2012 2:21 pm

Yes, the first request always contains the SID as at that point phpBB can't know whether it can set a cookie. So if you land on the forum, phpBB will write the cookie and set the SID to assure that the session ID is passed to the next request, then on the following page load phpBB know whether or not it has a cookie with the session data and based upon that it will determine whether to pass the SID through the URL or use the cookie.
Unfortunately it is something that must be done as phpBB can only read the cookie on the next request so on the first one it writes the cookie but doesn't know whether that was successful.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

saint_voland
Registered User
Posts: 4
Joined: Wed Aug 15, 2012 12:18 pm

Re: Sensitive Data in Querystring

Post by saint_voland » Wed Aug 15, 2012 2:58 pm

Thank you so much Erik!!

Locked

Return to “[3.0.x] Support Forum”

cron