RE: [Full-Disclosure] Proxy - Cookie - PhP - .htaccess Questions

From: JT (ptourvi1_at_twcny.rr.com)
Date: 05/29/03

  • Next message: morning_wood: "[Full-Disclosure] Proxy - Cookie - PhP - .htaccess Questions"
    To: "'morning_wood'" <se_cur_ity@hotmail.com>, <vulnwatch@vulnwatch.org>, <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>
    Date: Thu, 29 May 2003 16:12:58 -0400
    

    Last I knew this was a problem some time ago, Vbulletin had issues and is
    the product I'm most experienced with of the bb boards. It's been awhile
    since I dealt with it though, but I do believe Vbulletin made some code
    changes or instructed a certain config to workaround this. I say workaround
    because I do not think there was a fix and the workaround caused other
    issues. I think if you search their site you will find many posts regarding
    this. I have had two people who use the same proxy actually get switched
    logins before.

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of morning_wood
    Sent: Thursday, May 29, 2003 3:42 PM
    To: vulnwatch@vulnwatch.org; bugtraq@securityfocus.com;
    full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] Proxy - Cookie - PhP - .htaccess Questions

    ------------------------------------------------------------------
    - EXPL-C-2003-001 exploitlabs.com conjecture paper 001
    ------------------------------------------------------------------

    -=- PHP and .htaccess Authorization Bypass Conjecture -=-

     If someone could help me with the implications of this scenario :

    you = user-ip
    proxy = proxy ip
    remhost = host-ip

    Open browser via proxy to <hostip> with member forum php/BB type with login
    / pass.
    ( if im correct this sets a cookie to "maintain state" for session auth)
    do stuff.
    Change or turn off proxy in browser.
    do more stuff.

    Q? Are you still authorized?
    C? its looks so
    A? dunno really, this is why I wrote this. help-me?

    My Opinion:
     I think many or most of these php/BB style forums use the <user-ip> as part
    of the cookie making ( baking? yum ) authentication and persistant state
    process. It just seems odd that thers no obvious change in the auth, but yet
    technically the "you' have gone from <proxy-ip> to <user-ip>. This would
    seem to enable a "session sharing" scenario if you could corordinate a
    common proxy and a cookie sharing routine to bypass a many restriction...
    no? Help me figure this out, it is just hypothetical ( hence the
    conjecture ). What about .htaccess? does this violate that protection as
    well??? I say ...YES. Comments and FACTUAL, LOGICAL theory are asked upon
    this as it may ( could ) change the whole aspect of "location" or "absolute"
    auth via a IP protocol. ( or I will be highly embarased as to my high level
    ignarami )

    Donnie Werner
    morning_wood@exploitlabs.com
    http://exploitlabs.com "where finding your hole is job one, and plugging it
    is half the fun"

    oh.. check out http://frame4.com for your corporate security needs.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: morning_wood: "[Full-Disclosure] Proxy - Cookie - PhP - .htaccess Questions"

    Relevant Pages