Accept cookie authorization only from last user's session host (or IP range)
 

Hello!

As we all know, native VB authorization have two main weak sides:
- cookie connected only with username (userid)
[if somebody will steal your cookies (all browsers including latest allow to do it very easy), he will be able to enter]
- password string (even md5 hash of password from JS) in post data always same
[is somebody in your network can trace you HTTP headers, he will be able to send same post data and enter]
We can try to fight with first problem connecting cookie stored in browser with users host or, if php on your server have no gethostbyaddr function, with first 3 numbers of IP (IP range).
After installing authorization scenario will be the following:
1. user enter username and password in login form and submit it
2. if password match vb set two cookies:
- userid (number)
- password hash
[md5 hash for the result of concatenation "already hashed password stored in db" + "current user's host or ip range" + "some long string just to be more sure".
But if user host look like "dialaup-1276.something.isphost.com", only "isphost.com" part will be included in concatenation.]
3. If user use cookie authorization, VB will compare cookie send by browser with same md5 hash of same concatenation result. So if cookie comes from different host, user will be forced to enter password again.

Hope that this small hack will make your vb little more secure :)

PS It is possible to fight easy with second weak side too, but it needs too much files and template changes and explanations and i don't fink that i'll be able to explaing it with my English :) Sorry :)

nice addition :)

I am trying to install this mod but the second step of replacing this code:
vbsetcookie('password', md5($bbuserinfo['password'] . ''));

or may be

vbsetcookie('password', md5($bbuserinfo['password'] . 'somerandomstring'));

My version (3.0.03 ) shows this in two instances:

vbsetcookie('password', md5($bbuserinfo['password'] . 'IN HERE IS 8 Characters that I didn't want to post cuz I don't know what they are'), 0);

AND

vbsetcookie('userid', $bbuserinfo['userid'], 0);
vbsetcookie('password', md5($bbuserinfo['password'] . 'HERE IS 8 Characters that I didn't want to post cuz I don't know what they are'), 0

I am afraid to overwrite this piece....any suggestions?

I have not seen 3.0.03 yet...
But vbsetcookie function in Gold with last zero as parameter, set cookie that will disappear after closing browser, so i understand nothing and can suggest nothing. Sorry :)

somerandomstring is called "salt" in vBulletin 3.0.3 and is a random string of three characters.

The password is hashed like this: md5(md5($bbuserinfo['password'] . $bbuserinfo['salt'])) so md5 is used twice, once the password is hashed and then the "salt" gets added and then the whole things gets hashed again, and this hash is stored in the database.

Yes, but for cookie authorization vb3 use another random string :) It is not stored in db and i feel that it connected with licence number somehow :)