[Owncloud] Session hijacking vulnerability caused by time based token-generation.

Smoes Orino smoesorino at googlemail.com
Wed Dec 14 14:15:31 UTC 2011

Hey Robin,

at the first look that is a fix that prevents people from exploiting the
mentioned, but I think it opens a few new security questions, I dont know
how relevant they are but:

   - XSS attacks to obtain sessionID open the chance to brute force the
   password offline
   - A man in die middle attack is even worse, because one could get an
   exact timestamp

Why not use md5(time().user.someRand())? That would raise the possible
tokens to the rand intervall and lets say for a rand within 10^5 bruteforce
attacks will be impossible.

Another important thing, to prevent bruteforcing in common, is to make a
log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side

Best wishes,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20111214/123bb6a6/attachment.html>

More information about the Owncloud mailing list