Achievo/ATK - Bugzilla – Bug 373
session hijacking possible in rc2
Last modified: 2005-05-13 02:01:00
You need to log in before you can comment on or make changes to this bug.
Hi all, It is possible to hijack sessions once the Administrator has been logged in (not tested with other users). Testen with Konqueror and Opera. Once logged in achievo adds the session id into the url even with session.use_trans_sid set to 0 within the php.ini. I just copied the following url from Konq into the Opera and was logged in on instance. http://192.168.1.30/index.php?atklevel=-1&atkprevlevel=0&achievo=59baf0f7adc4a1de26c6735fa7dd88e8&atkescape=&atkaction=achievostart PHP settings: grep session /etc/php4/apache/php.ini|grep -v ";" session.save_handler = files session.save_path = /tmp session.use_cookies = 1 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = session.serialize_handler = php session.gc_probability = 1 session.gc_divisor = 100 session.gc_maxlifetime = 1440 session.bug_compat_42 = 0 session.bug_compat_warn = 1 session.referer_check = session.entropy_length = 0 session.entropy_file = session.cache_limiter = nocache session.cache_expire = 180 session.use_trans_sid = 0
Created an attachment (id=94) [details] Patch Hi, please test this patch for the session problem, and let me know it also works for you. You can apply it like this: cd <achievo dir>/atk/session/ patch -p0 < session.patch
K, this seems to fix it. Thanks, Hans
Ok, patch is commited in CVS.
close ticket
Sandy, can you port the fix to ATK 5.0.7 too?
reopen please, it's still not solved. I didn't test it thourough. I will add a diff later this week that will solve it. I am still able to open old bookmarked url's
Hans, what PHP version do you use ? And does your browser use cookies ?
Hi Peter, Ok, it looks like there is some sort of caching going on. We once had that with the development of phpreview. Didn't have time to check out what might be the cause but it might be a header problem (I know opera on linux had this a few years ago and opera on windows still had these issues a few months ago). FYI, I do not have any other cookies then the phpsession. The browser where it occured was Konqueror (kde 3.2.3). Regards, Hans
Sandy, I'm not sure if Wouter told you, but he had to disable the fix temporarily, because it gave strange problems with logout and a session error.
It seems the session regenerate function doesn't work with frames, since it will regenerate a session id for every frame. The only other way I know to prevent session hijacking is adding a md5 of the user agent with a key to the session, and check if it's still the same by every reload, and when it's not the same, it shoul go to the login page.
session highjacking is now configurable. It is default off, as it gives problems on several php versions.