https://www.cotonti.com Последние сообщения в теме Cotonti en Fri, 10 Oct 2025 03:47:25 -0000
I thought about last login timestamp as salt too. In this case the attacker has to be very quick to intercept the session before a user sends another requst, e.g.:
[list=1]

at 08:07:23 a victim enters exploited page

at 08:09:12 a victim clicks the exploit link but then idles for 2 minutes

at 08:10:54 an attacker, having copied the cookie exactly, enters the site with victim's account (he-he, if ipcheck is off or he's behind the same NAT or he has spoofed the IP)

But yes, this would be harder to break. And some sort of this thing could be used to improve current CSRF protection (which is not perfect either because a user has the same sed_xp/sed_xg value during the session which can be sniffed).]]> сб, 20 дек 2008 14:36:58 -0000
This would remove any sort of password in session or cookie, solving the problem. and the salt for the time, can be soemthign more complex. No one would ever be able to just randomly fill in cookies to steal, as witht he salt it would be impossible to get the same 2, as the time changes as well.]]> сб, 20 дек 2008 13:07:58 -0000
And we must not remove sed_check_xp() if you don't want plenty of spam on your sites. Just see the link above on what CSRF is. I was very surprised that Olivier actually implemented anti-CSRF with what he called anti-XSS.]]> пт, 19 дек 2008 21:57:45 -0000
IP Sec, stops any stealing, unless the person is smart enough to spoof ip's. And well thats a risk for any system really.]]> пт, 19 дек 2008 20:30:00 -0000 sucks when you have a site with a subdomain structure. So yeah, kill that pecker.]]> пт, 19 дек 2008 20:25:01 -0000
Another thing is important for people on shared hosts with PHP session data stored in some commonly available folder, usually /tmp. In this case your neighbors can steal session data from your users. The protection from this is overloading PHP's sessions to use local file storage or MySQL database (recommended). The drawback is that with MySQL-driven sessions it will produce 1-3 extra queries per request. The solution I would propose is not using cheap shared hosts with commonly available session data. But if this problem appears for many Cotonti users, we will have to provide optional MySQL-driven sessions for them.

The third thing is related to AJAX and server-side part of it, in which we disable Anti-XSS protection (sed_check_xp()). In fact, it is not Cross Site Scripting (XSS) what sed_check_xp()/sed_check_xg() does, but Cross Site Request Forgery (CSRF/XSRF). None of our currently existing plugins are vulnerable because they don't insert any essential data into the database (although, they can be used for a non-persistent XSS attack). But still it's a potential flaw in future, so I suppose we need to bring those checks back even for AJAX mode and edit client-side scripts to support it.]]> пт, 19 дек 2008 03:29:27 -0000