As people may or may not know, even if you have cookie settings set up properly, after logging in, you will have a session ID in your url. Just try it, log out of these forums and back in -> sessionid in url.
Yes, it goes away after you go to any other page, but for a brief second, the sessionID is in the url.
Now, what could go wrong? You can leak your session and anyone can hijack your session. Take these steps:
0.Use google chrome, or any other browser thay allows bookmarking.
1. Log out and in
2. Bookmark the url after logging in. (an active poster on my forums did this, and I'm sure he's not the only one)
3. Delete your cookies, or start an incognito session, or log in from a new pc, or anything which makes you start without cookies.
4. Click the bookmark
5. You are now logged in again! But... every page you go has the session id in the url
6. Share a forum post with your friends, or worse, post it on some public forum
7. Boom, you now have your session leaked to the world
What can they do? They can read your PMs, they can remove your posts, and if the user is a moderator, they can remove/edit other people's posts! And if it wasn't for the admin panel requiring you to log in agian, they could remove the entire forums with a handful of clicks.
There needs to be an update allowing us to remove session id from the url.
Why does it even exist? According to some searches, it is so the forums can keep you logged in even if your browser doesn't allow cookies? This is a useless "feature", since if people don't allow cookies, they basically can't use the modern internet.
I am happy we caught it early with this user on this website, since he put a lot of effort into some of his posts, and my latest backup was 3 days old so I had no way of recovering his posts. Also he could have his PMs read which is a breach of privacy.
Edit: and phpBB is running since ancient times with session-IDs and no securtiy problems from using them. There have also been some external security audits on phpBB
canonknipser wrote: ↑Sat Aug 12, 2017 9:57 am
Have you any kind of "IP-anonymisation" like cloudflare or similar running, so that every user gets the same IP? The Session-ID is bound to the IP
Edit: and phpBB is running since ancient times with session-IDs and no securtiy problems from using them. There have also been some external security audits on phpBB
I am not running a proxy infront of my server or anything like that. I also can no longer reproduce it, but I did manage to log into one of our user´s account via a link he sent me a couple of hours ago. (And read PMs and stuff, so it wasn't just a visual bug)
Do you have any other ways that could've happened then?
Edit: Managed to reproduce it again. Someone logged out -> logged in -> sent me the link including SID in it, and I opened it and was logged in as his user.
This is something we're aware of and there are already some checks in place.
In the future though (or for continuing of this discussion), please report to the Security Tracker if you think you found a security issue. Our team will then look at it without it being completely public.
JimA wrote: ↑Sat Aug 12, 2017 10:33 am
This is something we're aware of and there are already some checks in place.
In the future though (or for continuing of this discussion), please report to the Security Tracker if you think you found a security issue. Our team will then look at it without it being completely public.
Fair enough! I posted it publicly to hopefully be proven wrong.
Well, it might not be the best practice, but IP checks are in place. So this would never work when the person that you share this URL with is not on the same IP as you are, as you were in your example.
But thanks for the report. We can continue this discussion with the developers in the security tracker.
Not a security issue and has been an issue for some. Your server is misconfigureed in one way or another. Your comments on what you think the session ID does and the need for it is beyond incorrect, but won't get into that.
The CloudFlare issue is widespread and affects pretty much all forum platforms, not just ours, as well as other software. A properly configured server does not have an issue with properly handling sessions and IP addresses.
I have noticed some issues on the backend, specifically CSF. It only recognizes the Cloudlfare IP so you can't block them using CSF and LDF will fail to auto firewall traffic coming from Cloudflare because you need to whiltelist their IP's. If I understand correctly this is actually IP tables incompatibility.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”