Session id in url is a major security flaw

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
Post Reply
Dutchmagoz
Registered User
Posts: 3
Joined: Sat Aug 12, 2017 7:44 am

Session id in url is a major security flaw

Post by Dutchmagoz »

Hi,

As people may or may not know, even if you have cookie settings set up properly, after logging in, you will have a session ID in your url. Just try it, log out of these forums and back in -> sessionid in url.

Yes, it goes away after you go to any other page, but for a brief second, the sessionID is in the url.

Now, what could go wrong? You can leak your session and anyone can hijack your session. Take these steps:

0.Use google chrome, or any other browser thay allows bookmarking.
1. Log out and in
2. Bookmark the url after logging in. (an active poster on my forums did this, and I'm sure he's not the only one)
3. Delete your cookies, or start an incognito session, or log in from a new pc, or anything which makes you start without cookies.
4. Click the bookmark
5. You are now logged in again! But... every page you go has the session id in the url
6. Share a forum post with your friends, or worse, post it on some public forum
7. Boom, you now have your session leaked to the world

What can they do? They can read your PMs, they can remove your posts, and if the user is a moderator, they can remove/edit other people's posts! And if it wasn't for the admin panel requiring you to log in agian, they could remove the entire forums with a handful of clicks.

There needs to be an update allowing us to remove session id from the url.

Why does it even exist? According to some searches, it is so the forums can keep you logged in even if your browser doesn't allow cookies? This is a useless "feature", since if people don't allow cookies, they basically can't use the modern internet.

I am happy we caught it early with this user on this website, since he put a lot of effort into some of his posts, and my latest backup was 3 days old so I had no way of recovering his posts. Also he could have his PMs read which is a breach of privacy.

Sincerely,

Someone concerned with security.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Session id in url is a major security flaw

Post by canonknipser »

Have you any kind of "IP-anonymisation" like cloudflare or similar running, so that every user gets the same IP? The Session-ID is bound to the IP

If you really think it's a security problem, you shold follow the rules overhere: viewtopic.php?f=556&t=2376856#iit


Edit: and phpBB is running since ancient times with session-IDs and no securtiy problems from using them. There have also been some external security audits on phpBB
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
Dutchmagoz
Registered User
Posts: 3
Joined: Sat Aug 12, 2017 7:44 am

Re: Session id in url is a major security flaw

Post by Dutchmagoz »

canonknipser wrote: Sat Aug 12, 2017 9:57 am Have you any kind of "IP-anonymisation" like cloudflare or similar running, so that every user gets the same IP? The Session-ID is bound to the IP

If you really think it's a security problem, you shold follow the rules overhere: viewtopic.php?f=556&t=2376856#iit


Edit: and phpBB is running since ancient times with session-IDs and no securtiy problems from using them. There have also been some external security audits on phpBB
I am not running a proxy infront of my server or anything like that. I also can no longer reproduce it, but I did manage to log into one of our user´s account via a link he sent me a couple of hours ago. (And read PMs and stuff, so it wasn't just a visual bug)

Do you have any other ways that could've happened then?

Edit: Managed to reproduce it again. Someone logged out -> logged in -> sent me the link including SID in it, and I opened it and was logged in as his user.
User avatar
JimA
Former Team Member
Posts: 7833
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: Session id in url is a major security flaw

Post by JimA »

This is something we're aware of and there are already some checks in place.

In the future though (or for continuing of this discussion), please report to the Security Tracker if you think you found a security issue. Our team will then look at it without it being completely public. ;)
Jim Mossing Holsteyn - Former Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.
Dutchmagoz
Registered User
Posts: 3
Joined: Sat Aug 12, 2017 7:44 am

Re: Session id in url is a major security flaw

Post by Dutchmagoz »

JimA wrote: Sat Aug 12, 2017 10:33 am This is something we're aware of and there are already some checks in place.

In the future though (or for continuing of this discussion), please report to the Security Tracker if you think you found a security issue. Our team will then look at it without it being completely public. ;)
Fair enough! I posted it publicly to hopefully be proven wrong.
User avatar
JimA
Former Team Member
Posts: 7833
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: Session id in url is a major security flaw

Post by JimA »

Well, it might not be the best practice, but IP checks are in place. So this would never work when the person that you share this URL with is not on the same IP as you are, as you were in your example. ;)

But thanks for the report. We can continue this discussion with the developers in the security tracker.
Jim Mossing Holsteyn - Former Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.
User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 18282
Joined: Thu Jan 06, 2005 1:30 pm
Location: Fishkill, NY
Name: David Colón
Contact:

Re: Session id in url is a major security flaw

Post by DavidIQ »

Not a security issue and has been an issue for some. Your server is misconfigureed in one way or another. Your comments on what you think the session ID does and the need for it is beyond incorrect, but won't get into that.

The CloudFlare issue is widespread and affects pretty much all forum platforms, not just ours, as well as other software. A properly configured server does not have an issue with properly handling sessions and IP addresses.
Apply to become a Jr. Extension Validator
My extensions | In need of phpBB services? | Was I helpful today?
No unsolicited PMs unless you're planning on asking for paid help.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5850
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Session id in url is a major security flaw

Post by thecoalman »

DavidIQ wrote: Mon Aug 14, 2017 9:53 pm The CloudFlare issue is widespread and affects pretty much all forum platforms, not just ours
The Cloudflare issue can be solved with mod_cloudflare .

https://www.cloudflare.com/technical-re ... cloudflare

I have noticed some issues on the backend, specifically CSF. It only recognizes the Cloudlfare IP so you can't block them using CSF and LDF will fail to auto firewall traffic coming from Cloudflare because you need to whiltelist their IP's. If I understand correctly this is actually IP tables incompatibility.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Post Reply

Return to “phpBB Discussion”