[Owncloud] Session hijacking vulnerability caused by time based token-generation.
smoesorino at googlemail.com
Wed Dec 14 14:15:31 UTC 2011
at the first look that is a fix that prevents people from exploiting the
mentioned, but I think it opens a few new security questions, I dont know
how relevant they are but:
- XSS attacks to obtain sessionID open the chance to brute force the
- A man in die middle attack is even worse, because one could get an
Why not use md5(time().user.someRand())? That would raise the possible
tokens to the rand intervall and lets say for a rand within 10^5 bruteforce
attacks will be impossible.
Another important thing, to prevent bruteforcing in common, is to make a
log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owncloud