Several XSS security notes

Security drawbacks and proposals

Trustmaster	#1 2008-12-19 03:29
Administrators Thanked: 265 kez	I have noticed that by default Seditio uses Sessions + Cookies for security. I propose leaving Sessions mode the only available for the following reason. If authentication method is set to 1 (Cookies) or 3 (Cookies + Sessions), it puts base64-encoded authorization credentials into cookie, including the MD5 hash of the password. If someone steals a cookie with some XSS exploit, he will get not just user's current session (which will be most probably stopped with IPcheck) but also the hash of the password. Then he has a chance to brute force a collision for that hash, and use user's login and the collision of the password to log into the site. So, the solution I propose is using authmode=2 be default and removing the other methods. Another thing is important for people on shared hosts with PHP session data stored in some commonly available folder, usually /tmp. In this case your neighbors can steal session data from your users. The protection from this is overloading PHP's sessions to use local file storage or MySQL database (recommended). The drawback is that with MySQL-driven sessions it will produce 1-3 extra queries per request. The solution I would propose is not using cheap shared hosts with commonly available session data. But if this problem appears for many Cotonti users, we will have to provide optional MySQL-driven sessions for them. The third thing is related to AJAX and server-side part of it, in which we disable Anti-XSS protection (sed_check_xp()). In fact, it is not Cross Site Scripting (XSS) what sed_check_xp()/sed_check_xg() does, but Cross Site Request Forgery (CSRF/XSRF). None of our currently existing plugins are vulnerable because they don't insert any essential data into the database (although, they can be used for a non-persistent XSS attack). But still it's a potential flaw in future, so I suppose we need to bring those checks back even for AJAX mode and edit client-side scripts to support it. May the Source be with you!

Trustmaster

#1 2008-12-19 03:29

I have noticed that by default Seditio uses Sessions + Cookies for security. I propose leaving Sessions mode the only available for the following reason. If authentication method is set to 1 (Cookies) or 3 (Cookies + Sessions), it puts base64-encoded authorization credentials into cookie, including the MD5 hash of the password. If someone steals a cookie with some XSS exploit, he will get not just user's current session (which will be most probably stopped with IPcheck) but also the hash of the password. Then he has a chance to brute force a collision for that hash, and use user's login and the collision of the password to log into the site. So, the solution I propose is using authmode=2 be default and removing the other methods.

Another thing is important for people on shared hosts with PHP session data stored in some commonly available folder, usually /tmp. In this case your neighbors can steal session data from your users. The protection from this is overloading PHP's sessions to use local file storage or MySQL database (recommended). The drawback is that with MySQL-driven sessions it will produce 1-3 extra queries per request. The solution I would propose is not using cheap shared hosts with commonly available session data. But if this problem appears for many Cotonti users, we will have to provide optional MySQL-driven sessions for them.

The third thing is related to AJAX and server-side part of it, in which we disable Anti-XSS protection (sed_check_xp()). In fact, it is not Cross Site Scripting (XSS) what sed_check_xp()/sed_check_xg() does, but Cross Site Request Forgery (CSRF/XSRF). None of our currently existing plugins are vulnerable because they don't insert any essential data into the database (although, they can be used for a non-persistent XSS attack). But still it's a potential flaw in future, so I suppose we need to bring those checks back even for AJAX mode and edit client-side scripts to support it.

May the Source be with you!

Lombi	#2 2008-12-19 20:25
Team Thanked: 1 kez	actually sed_check_xp sucks when you have a site with a subdomain structure. So yeah, kill that pecker. <a href="http://www.domenlo.com">Surreal Art</a>

Kilandor	#3 2008-12-19 20:30
Administrators Thanked: 9 kez	I see no reason to remove any modes. You can simply double MD5 the password in session or cookie, or even salt+md5 it or something. IP Sec, stops any stealing, unless the person is smart enough to spoof ip's. And well thats a risk for any system really.

Trustmaster	#4 2008-12-19 21:57
Administrators Thanked: 265 kez	Double MD5 is crap, I can brute force it just the same way as single MD5. And MD5+SHA and with salt whatsoever. It all results into O(2N) complexity which is almost the same as O(N). What would really matter is O(N^2), but that will be damn slow and will freeze your site as well as the attacker. And we must not remove sed_check_xp() if you don't want plenty of spam on your sites. Just see the link above on what CSRF is. I was very surprised that Olivier actually implemented anti-CSRF with what he called anti-XSS. May the Source be with you!

Trustmaster

#4 2008-12-19 21:57

Administrators
Thanked: 265 kez

Double MD5 is crap, I can brute force it just the same way as single MD5. And MD5+SHA and with salt whatsoever. It all results into O(2N) complexity which is almost the same as O(N). What would really matter is O(N^2), but that will be damn slow and will freeze your site as well as the attacker.

And we must not remove sed_check_xp() if you don't want plenty of spam on your sites. Just see the link above on what CSRF is. I was very surprised that Olivier actually implemented anti-CSRF with what he called anti-XSS.

May the Source be with you!

Kilandor	#5 2008-12-20 13:07
Administrators Thanked: 9 kez	How about this for a proposal. There can be some sort of unique value that has nothing to do with password. Say md5($sys['now'].rand(0, 1000)); On login, its stored in a row on the user, thats used for unique identification, instead of throwing the password in the cookie. On logout the field is cleared. And say on a new login, the field is changed, with a new value. This would remove any sort of password in session or cookie, solving the problem. and the salt for the time, can be soemthign more complex. No one would ever be able to just randomly fill in cookies to steal, as witht he salt it would be impossible to get the same 2, as the time changes as well.

Kilandor

#5 2008-12-20 13:07

Administrators
Thanked: 9 kez

How about this for a proposal. There can be some sort of unique value that has nothing to do with password. Say md5($sys['now'].rand(0, 1000)); On login, its stored in a row on the user, thats used for unique identification, instead of throwing the password in the cookie. On logout the field is cleared. And say on a new login, the field is changed, with a new value.

This would remove any sort of password in session or cookie, solving the problem. and the salt for the time, can be soemthign more complex. No one would ever be able to just randomly fill in cookies to steal, as witht he salt it would be impossible to get the same 2, as the time changes as well.

Trustmaster	#6 2008-12-20 14:36
Administrators Thanked: 265 kez	Great idea, that is better than what I was going to do with mcrypt because it doesn't require mcrypt. The salt should be a random string of 8 characters to be harder to bruteforce. I thought about last login timestamp as salt too. In this case the attacker has to be very quick to intercept the session before a user sends another requst, e.g.: [list=1] at 08:07:23 a victim enters exploited page at 08:09:12 a victim clicks the exploit link but then idles for 2 minutes at 08:10:54 an attacker, having copied the cookie exactly, enters the site with victim's account (he-he, if ipcheck is off or he's behind the same NAT or he has spoofed the IP) But yes, this would be harder to break. And some sort of this thing could be used to improve current CSRF protection (which is not perfect either because a user has the same sed_xp/sed_xg value during the session which can be sniffed). May the Source be with you!

Trustmaster

#6 2008-12-20 14:36

Administrators
Thanked: 265 kez

Great idea, that is better than what I was going to do with mcrypt because it doesn't require mcrypt. The salt should be a random string of 8 characters to be harder to bruteforce.

I thought about last login timestamp as salt too. In this case the attacker has to be very quick to intercept the session before a user sends another requst, e.g.:
[list=1]

at 08:07:23 a victim enters exploited page

at 08:09:12 a victim clicks the exploit link but then idles for 2 minutes

at 08:10:54 an attacker, having copied the cookie exactly, enters the site with victim's account (he-he, if ipcheck is off or he's behind the same NAT or he has spoofed the IP)

But yes, this would be harder to break. And some sort of this thing could be used to improve current CSRF protection (which is not perfect either because a user has the same sed_xp/sed_xg value during the session which can be sniffed).

May the Source be with you!