• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

security issue

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

we found a security leak in JForum. It seems possible to override the security by spoofing a session id and post messages to all users registered to a forum.

According to the logs an attacker launched a GET request (link to private message) followed immediately by a POST of the PM.
We try to avoid this issue by adding an additional cookie.

Is this a known bug? Are there any options how to fix this appropriately?

Unfortunately the bug tracker is offline (as state by https://coderanch.com/t/578554 ), so we cannot further investigate this problem.

Thank you in advance for your help.

Kind regards,
user0
[originally posted on jforum.net by user0]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you supply more details? I can't seem to reproduce this.

E.g. what version are you using?

Are the PMs coming from the anonymous user or from a logged in user?

When you say post messages, are you talking about PM's only?

A quick walk thru the 2.1.8 code doesn't show a problem with the read code. It doesn't create any login info, just checks if you are logged in (redirects to login page if not), checks if the logged in user is the from or to user and denies access if you aren't.

The pm sending code checks if you are a logged in user (e.g. not anonymous) and forces you to log in before sending it. The from user will be the currently logged in user.

Not sure where the bug is, if any.
[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Monroe,

thank you for your answer.

what version are you using?


it is version 2.1.8

Are the PMs coming from the anonymous user or from a logged in user?


The logs show a request using a valid forum user

When you say post messages, are you talking about PM's only?


Yes, the spam affected private messages only.

this is a part of what we found in our logs:

194.8.75.xxx - - [21/Mar/2009:00:26:17 +0100] "GET /projJForum/jforum.page?modu
le=pm&action=sendToUser&subject=Contact%25252520PROJECT.COM&username=X_USERNAME HTTP/1.0
" 200 15732
194.8.75.xxx - - [21/Mar/2009:00:26:17 +0100] "POST /projJForum/jforum.page;jse
ssionid=A72CA67E056FEB95398A121F0241FE67 HTTP/1.0" 200 3648

194.8.75.xxx is the attackers ip, however we assume this might be a poor soul not knowing that he provides some of his bandwidth to contribute to a botnet/spamnet.

thank you in advance for helping us solvings this problem.

kind regards,
user0


[originally posted on jforum.net by user0]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry for the delay... been on vacation with limited i-net access for the last week.

I still can't reproduce this. One thing that I notice from the above logs is that the GET request is using a "sendToUser" action. The standard action for sending PM is "sendTo" and not this.

Since "sendToUser" is not a jForum valid action the default code will re-direct to the PM "list" action, which since the requester is not logged on redirects to the login page. The POST action following this looks like (but I can't be sure) a login response. None of this can send unauthorized messages.

Are you using a modified version of the PrivateMessageAction class with a sendToUser() method added? If so, the security problem is in this code.

You might also check that the modulesMapping.xml files still maps the pm module to the jForum default class. Perhaps someone has replaced with with their own version that allows this.

Are you using SSO or normal jForum security? The second post command could be login information that is getting past your SSO code.

You might find information about this in the JForum_Sessions table. This maps user sessions to the last IP address they logged in from.

Finally, could this be a case of someone being able to access your WebApp server's Session Id information. This is the "magic" number that is returned by the app server to tie requests to a specific session (generally as a session cookie). All webapps have a limited vulnerability via this if someone can find this information.

However, this generally depends on having network snooping hardware between the user and server (or physical access to the DB or server logs). Plus this information is only usable during the lifetime of the user session. (depends on server time out settings).

The "cure" for this is to use SSL connections which can't be easily snooped. But since most networks use switches which mean snooping doesn't work well unless you have access to the switchs and and there for only dangerous if the snooper is inside your or your ISPs physical security, it becomes an issue of "how much security do you really need (and are willing to pay for)".




[originally posted on jforum.net by monroe]
 
reply
    Bookmark Topic Watch Topic
  • New Topic