vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   How secure is vBulletin's cookie storage? (https://vborg.vbsupport.ru/showthread.php?t=224432)

j_86 10-02-2009 06:19 PM
How secure is vBulletin's cookie storage?
 
vBulletin stores two cookies - a hashed password and my user ID. If someone steals these two cookies from me (i.e. if my cookies were stolen via an XSS flaw in the vB installation), would they be able to cleanly authenticate into my user account?

BSMedia 10-02-2009 06:50 PM
No.

Though anything is possible

James Birkett 10-02-2009 08:50 PM
Considering a lot of the forum requires reauthentication - no.
The cookie is hashed using your cookie ID as well as your password and salt, triple hash whereas the database is a double hash.

j_86 10-03-2009 03:14 PM
Quote:
Originally Posted by James Birkett (Post 1893976)
Considering a lot of the forum requires reauthentication - no.
This doesn't answer my question.

Try this:

1) Login to vbulletin.org

2) Delete the cookies highlighted below:

http://img183.imageshack.us/img183/1...1254589846.jpg

3) Close your browser completely (ending any authentication sessions)

4) Visit vbulletin.org

5) You are re-authenticated


So, surely this means that vBulletin is reauthenticating you based on your hashed password value (it doesn't matter how it is hashed) and your user ID.

This means that should vbulletin.org be attacked via an XSS flaw, an attacker could load an iframe on vbulletin.org of a malicious website and steal my cookie, using it to cleanly authenticate.

Are my assumptions here correct?

j_86 10-15-2009 09:15 AM
I've tested this, and it looks like by taking the cookie information, anyone can authenticate as you. Whether or not the password is hashed is irrelevant and ultimately futile against XSS attacks :(


All times are GMT. The time now is 10:55 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02920 seconds
  • Memory Usage 1,715KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (5)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete