[MajorSecurity #26] Woltlab Burning Board - Multiple Cookie manipulation and session fixation vulnerabilities=0D
----------------------------------------------------------------------------------------=0D
=0D
Software: Woltlab Burning board=0D
=0D
Impact: Cookie manipulation and Session Fixation=0D
=0D
Made public: July, 23th 2006 =0D
=0D
Vendor: WoltLab GmbH=0D
=0D
Page: http://www.woltlab.de=0D 
=0D
Credits:=0D
----------------------------------------------=0D
Discovered by: David Vieira-Kurz=0D
http://www.majorsecurity.de=0D 
=0D
Original Advisory:=0D
----------------------------------------------=0D
http://www.majorsecurity.de/advisory/major_rls26.txt=0D 
=0D
Affected products:=0D
-------------------------------------------------=0D
Woltlab Burning board 1.1.1=0D
Woltlab Burning Board 1.2=0D
Woltlab Burning Board 2.1.3=0D
Woltlab Burning Board 2.1.5=0D
Woltlab Burning Board 2.2=0D
Woltlab Burning Board 2.2.1=0D
Woltlab Burning Board 2.2.2=0D
Other versions may also be affected...=0D
=0D
Requirements:=0D
-------------------------------------------------=0D
register_globals = On =0D
=0D
Cookie manipulation and session fixation attack:=0D
-------------------------------------------------=0D
Classification:=0D
Session Fixation is an attack technique that forces a user's session ID to an explicit value. =0D
Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value.=0D
These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. =0D
After a user's session ID has been fixed, the attacker will wait for them to login. =0D
Once the user does so, the attacker uses the predefined session ID value to assume their online identity. =0D
=0D
Vulnerability:=0D
-------------------------------------------------=0D
WBB 1.1.1 and 1.2:=0D
	The Cookie variable "sid" can be set to something like:=0D
=0D
	1. ;sthreads=a%253A1%253A%257Bi%253A0%253BN%253B%257D=0D
	2. sid=>'>;sthreads=a%253A1%253A%257Bi%253A0%253BN%253B%257D  // XSS is possible=0D
	3. Cookie: sid='";sthreads=a%253A1%253A%257Bi%253A0%253BN%253B%257D // SQL-Injection could be possible=0D
=0D
WBB 2.1.x and 2.2.x:=0D
	The Cookie variable "wbb2_lastvisit" can be set to something like:=0D
=0D
Cookie: wbb2_cookiehash=0bb23efeb1a979d68027994ecb29fc48;wbb2_lastvisit=>'>;wbb2_hidecats=a%253A1%253A%257Bi%253A19%253Bi%253A0%253B%257D // XSS is possible=0D
Cookie: wbb2_cookiehash=0bb23efeb1a979d68027994ecb29fc48;wbb2_lastvisit=%00';wbb2_hidecats=a%253A1%253A%257Bi%253A19%253Bi%253A0%253B%257D=0D
=0D
=0D
Solutions:=0D
-------------------------------------------------=0D
1. Do not accept session identifiers from GET / POST variables:=0D
	Session identifiers in URL (query string, GET variables) or POST variables are not recommended as it simplifies this attack - it is easy to make links or forms which sets GET / POST variables.=0D
=0D
2.Regenerate SID on each request:=0D
	A powerful countermeassure against session fixation is to "regenerate" session identifier (SID) on each request. =0D
	This means that although attacker may trick a user into accepting a known SID, the SID will be invalid when attacker attempts to re-use the SID.=0D
=0D
3. Accept only server generated SID:=0D
	One way to improve security is to not accept session identifiers not generated by server.=0D
=0D
	if ( ! is_set( $_SESSION['SERVER_GENERATED_SID'] ) ) {=0D
	   session_destroy(); // destroy all data in session=0D
	}=0D
	session_regenerate_id(); // generate a new session identifier=0D
	$_SESSION['SERVER_GENERATED_SID'] = true;=0D
=0D
=0D
References:=0D
-------------------------------------------------=0D
http://www.acrossecurity.com/papers/session_fixation.pdf=0D 
http://www.webappsec.org/projects/threat/classes/session_fixation.shtml=0D 
http://en.wikipedia.org/wiki/Session_fixation=0D 
=0D