Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Auto Logout
Posted by: digi7al64
Date: November 22, 2006 11:13PM

Something to consider

<img>h t t p://sla.ckers.org/forum/login.php?0,logout=1</img>

replace < with [ and > with ]

remove spaces

basically just the logout url as the image

'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Edited 1 time(s). Last edit at 11/22/2006 11:13PM by digi7al64.

Options: ReplyQuote
Re: Auto Logout
Date: November 23, 2006 07:10AM

Most websites are vulnerable to this, because they use a GET request to initiate logout. I don't know why logout links came in fashion: the operation is definitely idempotent, and thus should be POST-ed.

Options: ReplyQuote
Re: Auto Logout
Posted by: maluc
Date: November 23, 2006 10:59AM

=.= POST is NOT safer than GET..

yes, you wouldn't be able to put a POST in a forum post here .. but you could on any of the XSS links.. that's really not a solution. i don't know why the idea of POST being a security feature came in fashion..


Options: ReplyQuote
Re: Auto Logout
Posted by: nrg
Date: November 23, 2006 11:37AM

i think this: http://sla.ckers.org/forum/read.php?10,1961 is worst then logout : P


Options: ReplyQuote
Re: Auto Logout
Posted by: rsnake
Date: November 24, 2006 12:35AM

Both are issues. One of these days I'll get around to fixing them. Until them all your passwords will be "ilovechese" a la nrg. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Auto Logout
Posted by: jungsonn
Date: November 24, 2006 06:49AM

Haha... always a good laugh upon here.

Yes the POST issue, i can also post from my desktop :)
so maluc is right it's silly to assume that it is safer then GET.
some scripts check on this, but this is easy to omit by just passing the whole QUERY_STRING along, or just variables as: &submit=submit (seems popular to check on which is pretty silly).

Options: ReplyQuote
Re: Auto Logout
Date: November 25, 2006 01:56PM

A POST request is somewhat harder to trigger than GET request (not automatically, anyway). Thus, more secure. Not totally secure, but more secure.

If tricking users into POST'ing data is still a problem, just add a nonce to the logout form. Would absolutely murder caching, but would effectively require an XSS exploit to finish off. For something that's just an annoyance, I think changing it to POST would suffice.

Options: ReplyQuote
Re: Auto Logout
Posted by: maluc
Date: November 25, 2006 03:06PM

well if you add a user specific parameter such as their session id from the cookie.. that should work as well as a nonce.. but keeping the page static (assuming everything else is static/cached)

such as: [url=http:// its blue]http://sla.ckers.org/logout.php?f805d48e09fa4aed353451e2c060fb72[/url] .. which is still a GET yet just as secure..

Using sla.ckers session ID cookie called phorum_session_v5, it could be appended client-side with:[code]
function logout() {
var start = document.cookie.indexOf('phorum_session_v5=') + 18;
var end = document.cookie.indexOf(';',start);
document.location = 'http://sla.ckers.org/logout.php?' + document.slice(start,end);

i didn't test it, so ignore any syntax errors


Options: ReplyQuote
Re: Auto Logout
Posted by: tj
Date: February 23, 2007 04:23AM

POST isn't safer than GET...

U can use java scripts for form...

you can submit the forms document.form1.submit();

Options: ReplyQuote
Re: Auto Logout
Posted by: Milan
Date: October 18, 2007 02:27AM

Actually Post method is exploitable just like GET. All you have to do is to put some url in image, and script which is behind that url can do post request... Using this method to exploit this kind of bug even gives you more control.

Options: ReplyQuote
Re: Auto Logout
Posted by: TheInsider
Date: December 24, 2008 08:30PM

The solution for this will using POST AND a UNIQUE, GENERATED ONE TIME TOKEN, which is the way to mitigate and other CSRF!!!

Its quite ironic that the forum which deals with this common security issues, doesn't implement the solutions its discussions contain.

Aspect9 Founder & Chief Security Architect
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!

Options: ReplyQuote
Re: Auto Logout
Date: December 25, 2008 11:52PM

Personally I don't care if sla.ckers has CSRF issues. Its not like rsnake or id are storing my banking information for me on the site. Not to mention who gives a damn if I mysteriously get logged out. If you are that paranoid about CSRF on this site...then view it in Lynx. My 2 cents =o)

Options: ReplyQuote
Re: Auto Logout
Posted by: id
Date: December 28, 2008 01:41PM

We don't do this for a profit, I don't care about your security, I hope you use the same password here as you do for your bank.


Options: ReplyQuote
Re: Auto Logout
Posted by: maluc
Date: January 13, 2009 08:03PM

Finally got around to fixing. The salted hash is different per person but static across your sessions.


Options: ReplyQuote

Sorry, only registered users may post in this forum.