Fork me on GitHub

[false alarm] PN is easy to hack into - edit cookies for more security  Bottom

  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Oct 26, 2006
    • Posts: 3
    Link to this post Posted: Oct 26, 2006 - 07:33 AM
    I was installed my first PN and PNphpBB2. I normally created my own custom CMS before i realized there were programs out there like PostNuke and PHPNuke...

    Anyways, I would like to say I really like postnuke and saved my alot of time in developing my site, but nothing is perfect. Through playing around with a PNphpBB2 installation I stumbled across a VERY VERY easy way to gain access to any administrator account on postnuke, or any account in general!

    Apparently there is only TWO variables stored in the cookies,POSTNUKESID and the host URL. With very little effort anyone can change the postnuke ID to any target account... For example, in a standard postnuke install the admin has the PN ID of 2... so goto any one of hundreds of sites or create a simple PHP page to encrypt 2 in md5 encryption... edit the appropriate line in the cookie, and you have access to that person's account without knowing thier password or ANY other information.

    HOW TO FIX IT.

    I am sure that on every page, the user id is compared to an encrypted variable on the DB, and then allowed access to that page or if they dont meet the requirements are sent to some other page. To fix this, the cookies need more information to verify that the user is who they claim to be. Like a password? username? maybe some randomly generated number that is 100 characters long and is only used in one instance and that is to verify the cookie????

    This wouldnt be hard at all! just add a row to the users table, when they register it generate some random number and adds a row with this random number and then create the cookie containing this random number and the user id. then on each page have the cookie verified agianst the user id and their randomly generated number. presto.. secure once agian.

    With just a userid in the cookie, its just TO easy to edit and gain access...

    Incase your wondering this refers to the MEDIUM SECURITY option. Basically it will allow users to have a cookie that can last a week without giving up any security....

    I havent looked at HIGH SECURITY yet, but if it only contains the POSTNUKESID variable, then its not any more secure at all...

    Hope this helps,

    ~Mantralapse

  • **unknown user**

    Freshman
    • Rank: Freshman
    • Registered: Mar 16, 2002
    • Last visit: Oct 21, 2009
    • Posts: 68
    Link to this post Posted: Oct 26, 2006 - 08:11 AM
    If what you write is true, every single PN site would be hacked beyond belief. AFAIK, the session ID is what it says, a session id. It's not the UID. The session ID is tied to the UID in the session table of the DB. So, if you don't know the UID that the session ID is associated with, what can a person do?
  • Landseer
    Landseer
    Team Member
    • Rank: Team Member
    • Registered: Jan 02, 2003
    • Last visit: Oct 21, 2009
    • Posts: 800
    Link to this post Posted: Oct 26, 2006 - 08:19 AM
    Do you have any proof for this assertion?

    As mentioned before the sessionid does not have to do anything with the user id.

    [x] You want to read http://php.net/manual/en/ref.session.php

    Frank


    --
    "He is not dangerous, he just wants to play...."
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Oct 26, 2006
    • Posts: 3
    Link to this post Posted: Oct 26, 2006 - 08:29 AM
    Ok, ill explain EXACTLY how i came to this conclusion...

    Here's what happened.

    I was helping a friend set up his PostNuke and PNphpBB2 site. At first we were using newly created usernames that both had full admin rights. In this story i will refer to his name as 'userA' and my own as 'userB' ... In the DB userA has the user id of 2 while userB has the user id of 3. (this is important for later, bare with me). 'userB' has cookies enable and saved the cookie... (PostNuke is set to Medium Sec)

    After PN was completly set up and skinned we uninstalled PNphpBB2 and reinstalled it and this time we upgraded from a phpbb2 install. It imported all the users, groups, permissions, topics, replies, etc. The upgrade kept 'userA' on the list and then deleted 'userB' as it was suppose to. 'userA' already had a username on the phpbb2 list, so he found his phpbb2 username and made it a full admin. It so happens that userA's phpbb2 name was user id 3.

    UserB decides to login later (still has the old cookie) and finds that he is logged on under UserA's phpbb2 name with full admin rights without knowing UserA's password or information...


    ---------------

    Assuming that iam telling the truth in the above, which i am, how could this have happened if it wasnt the cookie?



    edited by: mantralapse, Oct 26, 2006 - 08:38 PM
  • JørnWildt
    JørnWildt
    Softmore
    • Rank: Softmore
    • Registered: Jul 02, 2002
    • Last visit: Oct 21, 2009
    • Posts: 240
    Link to this post Posted: Oct 26, 2006 - 09:19 AM
    I haven't looked into the code, but here is my guess:

    - The cookies contains only session ID's - randomly generated numbers that are hard to guess.

    - The user ID is stored in the session data on the server.

    - By uninstalling and re-installing the system you get new user ID's on the server.

    - The last time userB logs in his session refers to the session data in which the old userA ID was stored. So effectly he works as the unexpected user.

    This does *not* mean the user ID is stored in the cookie - it only means the user ID is stored in the session that your cookie's session ID refers to.
  • **unknown user**

    Registered User
    • Rank: Registered User
    • Registered: Mar 16, 2002
    • Last visit: Oct 26, 2006
    • Posts: 3
    Link to this post Posted: Oct 26, 2006 - 09:23 AM
    so, just some random 1 in a million occurance that would probally never happen agian?

    sorry! still may want to check into this just to make sure... thought i stumbled across something and rushed to the forums to inform the dev's... maybe i jumped the gun icon_biggrin

    ~Mantralapse



    edited by: mantralapse, Oct 26, 2006 - 09:24 PM
  • JørnWildt
    JørnWildt
    Softmore
    • Rank: Softmore
    • Registered: Jul 02, 2002
    • Last visit: Oct 21, 2009
    • Posts: 240
    Link to this post Posted: Oct 26, 2006 - 09:40 AM

    Quote

    so, just some random 1 in a million occurance that would probally never happen agian?


    No - it happend because of your reinstall where the user ID of userA got changed. It will happen again if you do the same.
  • **unknown user**

    Freshman
    • Rank: Freshman
    • Registered: Mar 16, 2002
    • Last visit: Oct 21, 2009
    • Posts: 68
    Link to this post Posted: Oct 26, 2006 - 09:44 AM
    Don't forget, PNPHPBB (can never get all the caps right on that) uses its own session management so there is an additional layer of complexity. It also stores it's own user list which it imports from the PN database. I'm thinking that even though you removed/reinstalled PNPHPBB, your PN session was still active in PNs DB and that carried back over to the new PNPHPBB installation afterwards.

    Dang, I think I just confused myself. I need a drink now.
  • larsneo
    larsneo
    Software Foundation
    • Rank: Software Foundation
    • Registered: Dec 31, 1969
    • Last visit: Oct 21, 2009
    • Posts: 3814
    Link to this post Posted: Oct 26, 2006 - 07:39 PM
    mantralapse,
    please check http://php.net/session for some basic background information about PHP session management prior to claiming any issue within the postnuke core. if you want to improve the session security beyond the usual PHP capabilities consider e.g. suhosin for transparent session/cookie encryption.

    if you change user/group/permissiontables with third-party-addons (like you did with importing phpbb2 users via pnphpbb) the postnuke core is definitly not reponsible for any side-effects. the phpbb2 standalone had known session fixation problems up to version 2.0.21.

    sidenote: the correct way to report security issues is via contact form

    --
    regards from germany
    ..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
  • slam
    slam
    Team Member
    • Rank: Team Member
    • Registered: May 03, 2004
    • Last visit: May 31, 2010
    • Posts: 511
    Link to this post Posted: Oct 26, 2006 - 09:12 PM
    There is no security issue in this report for PNphpBB2 as far as I can see. If you re-import user data with existing permissions, of course they will continue to work. If by accident you changed an admin user ID in the database in this process to another user (which is quite unclear how & why this happened in this particular case), this user might "become" admin.

    No user ID is included in the PNphpBB2 cookie, it fairly uses the same security technology core PostNuke does.

    Please let me add, the PNphpBB2 installer does NEVER change existing PostNuke user/group/permission tables at all!

    And yes, PNphpBB2 comes with it's own fine grained internal permission system (from phpBB2) which again does not touch anything outside the module.

    If you still feel there might be a security issue with the PNphpBB2 installer please contact me via PM.

    Thanks,
    Chris



    edited by: slam, Oct 27, 2006 - 10:15 AM

    --
    an operating system must operate
    development is life
    my repo
  • larsneo
    larsneo
    Software Foundation
    • Rank: Software Foundation
    • Registered: Dec 31, 1969
    • Last visit: Oct 21, 2009
    • Posts: 3814
    Link to this post Posted: Oct 26, 2006 - 09:19 PM

    Quote

    Please let me add, the PNphpBB2 installer does NEVER change existing PostNuke user/group/permission tables at all!

    well - if you import a standalone phpbb installation the users are populated to the postnuke's core user-table - and this *might* lead into problems if any users existed prior to this import within postnuke already. this is definitly not a security issue but might be the reason for mantralapse's problem.

    --
    regards from germany
    ..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
  • slam
    slam
    Team Member
    • Rank: Team Member
    • Registered: May 03, 2004
    • Last visit: May 31, 2010
    • Posts: 511
    Link to this post Posted: Oct 26, 2006 - 09:47 PM
    I see what happened now, thanks larsneo.
    Please refer to the installation/upgrade documentation of PNphpBB2 and follow the steps described there when importing users from phpBB2 into PostNuke.
    Greetings,
    Chris

    --
    an operating system must operate
    development is life
    my repo

Users on-line

  • 0 users

This list is based on users active over the last 60 minutes.