Huge Security Problem

1st Official Post
    Affected App
    WoltLab Suite Core

    I received some mails from our memebrs, refering that randomly they was able to connect in our forums on an other member account simply clicking a link in our forums or in a link from an auto e-mail (Notification mail).

    Those links except the normal path, also including session ID from members accounts, and by clicking at those links, you are able to auto-connect on an other user account.

    An example is the next picture below, from a notification mail send us a member.

    The Language string from this mail notification (wbb.post.notification.mail) is....

    Code
    Ο/Η "{@$author->username}" απάντησε στο θέμα "{@$userNotificationObject->getThread()->topic}" του φόρουμ "{@$userNotificationObject->getThread()->getBoard()->title|language}":
{link controller='Thread' object=$userNotificationObject->getThread() application='wbb' encode=false forceFrontend=true}postID={@$userNotificationObject->postID}{/link}#post{@$userNotificationObject->postID}

    This is a critical security bug and I realy don't know how to stop it.

    Imagine what will be if an Administrator session ID is leaking by this way.

    Thanks in advance for your Help..

    Dimitris.

    Rule One: Always sanitize links before posting them. To my mind anyone how hands out unsanitized links (with his session id) deservses this to happen.

    And also you can enable session IP check in ACP this will counter those "leaked sessions" but will reduce user comfort. Then every session will be check with the ip, this will in almost every case prevent such sessions hand overs.

    • Official Post

    You probably have outdated language variables. Check all your .mail Variables and diff the links with the english orginals. E.g. your mail language variable should look like that:

    Code
    Ο/Η "{@$author->username}" απάντησε στο θέμα "{@$userNotificationObject->getThread()->topic}" του φόρουμ "{@$userNotificationObject->getThread()->getBoard()->title|language}":
{link controller='Thread' object=$userNotificationObject->getThread() application='wbb' isEmail=true}postID={@$userNotificationObject->postID}{/link}#post{@$userNotificationObject->postID}
    • Official Post

    Dagalidis Your translation is outdated, the original phrases contains the parameter isEmail=true which will always strip the session id parameter.

    For reference the phrase in Burning Board 4.1:

    Code
    if $author->userID}{@$author->username}{else}a guest{/if} replied to the thread "{@$userNotificationObject->getThread()->topic}" in forum "{@$userNotificationObject->getThread()->getBoard()->title|language}":
{if $notificationType == 'instant' && WBB_POST_NOTIFICATION_MAIL_INCLUDE_MESSAGE}
---------------------------------
{@$userNotificationObject->getMailText()} 
---------------------------------
{/if}{link controller='Thread' object=$userNotificationObject->getThread() application='wbb' isEmail=true}postID={@$userNotificationObject->postID}{/link}#post{@$userNotificationObject->postID}]]></item>

    Please replace encode=false forceFrontend=true with isEmail=true.

    Quote from Barungar

    And also you can enable session IP check in ACP this will counter those "leaked sessions" but will reduce user comfort. Then every session will be check with the ip, this will in almost every case prevent such sessions hand overs.

    This can not be effactive in my case, because we are using Cloudfare CDN and most of the incoming IPs have the same value (Clouflare Proxy). :(

    Quote from Alexander Ebert

    Please replace encode=false forceFrontend=true with isEmail=true.

    Replaced all instanses of encode=false forceFrontend=true to isEmail=true founded in language variables an i Hope that all will be ok now.:)

    Thanks....:thumbup:

    Thanks my friend.

    I have it installed since 3 months ago, but still when I see the Ips in new registration list in ACP, most of them are Cloudflare IPs...

    I have dedi server, so I have direct access to any file on it, but I don't know how is possible to get real IPs from Cloudflare.

    As far I see, many of my translation Variables are outdated and if there is a way to Force Replace them all in once with latest variables, let me know, because I have problems with Paypal IPN Service also, which seems to be related with outdated language variables also.

    Dimitris.

    Quote from Dagalidis

    I have it installed since 3 months ago, but still when I see the Ips in new registration list in ACP, most of them are Cloudflare IPs...

    If you send me the IP's, i'll check that. Maybe, they've got some new IP ranges which are not covered by the plugin, yet.

    Quote from Dagalidis

    I have dedi server, so I have direct access to any file on it, but I don't know how is possible to get real IPs from Cloudflare.

    Apache2: https://support.cloudflare.com/hc/en-us/artic…ith-Apache-2-4-

    nginx: https://support.cloudflare.com/hc/en-us/artic…-IP-with-Nginx-

    Litespeed: https://support.cloudflare.com/hc/en-us/artic…teSpeed-server-

    Quote from Dagalidis

    f there is a way to Force Replace them all in once with latest variables, let me know

    Not really. But there are ways to make it easier (e.g. the option to just show custom variables in ACP).

    • Official Post
    Quote from SoftCreatR

    If you send me the IP's, i'll check that. Maybe, they've got some new IP ranges which are not covered by the plugin, yet.

    The ranges have been extended somewhere in 2016, could have taken place around fall. Didn't found any announcements in that regard, but instead noticed a significant increase in dropped packages due to unknown origin ips, around that time.

    Lately we have randomly strange behaviors in our community.

    Randomly when a session in a https connection expires, then some users connected again with new session but with a diferent session ID from an other account.

    This really drives me crazy, because proove that our community is in very high danger due to this security issue.

    And the most bad thing is I really don't know what is causing all those problems.

    How is possible a new session can take an active session ID from an other account ?

    Quote from Alexander Ebert

    The ranges have been extended somewhere in 2016, could have taken place around fall. Didn't found any announcements in that regard, but instead noticed a significant increase in dropped packages due to unknown origin ips, around that time.

    It's a good thing to watch out this site or the text files linked there for variuos reasons.

    Quote from Dagalidis

    How is possible a new session can take an active session ID from an other account ?

    If the system can't safe cookies in the browser of the user to let him suthenticates easily, it creates a session ID string which you will see in your browsers adress bar. It's something like example.com/?s=$IDstring.

    If you gave someone your full URL including the session ID and disabled security features in the ACP (check IP per session), the person with the URL could get into your session.

    Quote from jacboy

    If the system can't safe cookies in the browser of the user to let him suthenticates easily, it creates a session ID string which you will see in your browsers adress bar. It's something like example.com/?s=$IDstring.

    No I never saw any session ID at browser address bar, except ACP panel which is normal.

    Quote from jacboy

    check IP per session

    This is very painfull, because we have many members and visitors which use tapatalk throug Mobile data, and the same time are connect from their PCs.

    If we enable this option in ACP they will get disconnection messages all the time.

    Is a painfull option.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login