Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
possible bug
Posted by: Albino
Date: September 09, 2009 07:35AM

It appears to be possible to log in as another user without going through the username/password crap by getting the url 'phorum_session_v5=blablabla' bit correct. I noticed this because I bookmarked a page and it auto-logged me in when I returned to it the next day even though I have a different IP and cookies disabled. Actually I guess it might be a side effect of having cookies disabled. I would have thought the session should have expired or something. Probably not actually a bug or fixworthy but I thought I'd mention it.



Edited 1 time(s). Last edit at 09/09/2009 07:36AM by Albino.

Options: ReplyQuote
Re: possible bug
Posted by: rsnake
Date: September 09, 2009 05:21PM

So that would make it 3.4 x 10^38 chances for someone to brute force your credential. I can see why it's maybe annoying to stay logged in, but would you rather we arbitrarily log you out after x hours? That's what the logout button is for. If it really worries you, I'd just click logout when I'm done for the day. That's what I do. No need to keep user sessions active any longer than I have to, even if it's only on the server. The only way I could see fixing it is to randomly arbitrarily remove the credential after some random amount of time. That seems worse from a usability perspective - a lot of work for almost no security gain.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: possible bug
Posted by: Albino
Date: September 10, 2009 09:32AM

I was thinking more along the lines that someone could post a link on here to their website and then see people's session_id in the referer. But I see your point, I'll just logout in future.

Options: ReplyQuote
Re: possible bug
Posted by: thornmaker
Date: September 10, 2009 08:09PM

privacy, security, convenience. choose 1.

Options: ReplyQuote
Re: possible bug
Posted by: Track404
Date: January 05, 2010 07:19PM

Obscurity

Na, I can not tell a lie. My browser gives me all away :)

Options: ReplyQuote
Re: possible bug
Posted by: Spyware
Date: February 01, 2010 11:35AM

Albino Wrote:
-------------------------------------------------------
> I was thinking more along the lines that someone
> could post a link on here to their website and
> then see people's session_id in the referer. But I
> see your point, I'll just logout in future.

It's perfectly possible to circumvent this particular vector; sla.ckers could let all links go through a "link anonymizer" (like some *chan boards do).

Options: ReplyQuote
Re: possible bug
Posted by: digi7al64
Date: March 03, 2010 07:46PM

This was discovered when the forums first come online.

http://sla.ckers.org/forum/read.php?10,1031

You should be alright as long as no one is running tracking images in their sigs (which i think is disallowed)

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote


Sorry, only registered users may post in this forum.