[Owncloud] Session hijacking vulnerability caused by time based token-generation.
Smoes Orino
smoesorino at googlemail.com
Wed Dec 14 14:15:31 UTC 2011
Hey Robin,
at the first look that is a fix that prevents people from exploiting the
mentioned, but I think it opens a few new security questions, I dont know
how relevant they are but:
- XSS attacks to obtain sessionID open the chance to brute force the
password offline
- A man in die middle attack is even worse, because one could get an
exact timestamp
Why not use md5(time().user.someRand())? That would raise the possible
tokens to the rand intervall and lets say for a rand within 10^5 bruteforce
attacks will be impossible.
Another important thing, to prevent bruteforcing in common, is to make a
log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side
implemented.
Best wishes,
Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20111214/123bb6a6/attachment.html>
More information about the Owncloud
mailing list