[Owncloud] Session hijacking vulnerability caused by time based token-generation.

Michael Grosser mail at seetheprogress.com
Wed Dec 14 14:18:34 UTC 2011

Changed the versionnumber on the homepage. A new homepage is sort of in the
Cheers michael
Am 14.12.2011 15:15 schrieb "Smoes Orino" <smoesorino at googlemail.com>:

> Hey Robin,
> at the first look that is a fix that prevents people from exploiting the
> mentioned, but I think it opens a few new security questions, I dont know
> how relevant they are but:
>    - XSS attacks to obtain sessionID open the chance to brute force the
>    password offline
>    - A man in die middle attack is even worse, because one could get an
>    exact timestamp
> Why not use md5(time().user.someRand())? That would raise the possible
> tokens to the rand intervall and lets say for a rand within 10^5 bruteforce
> attacks will be impossible.
> Another important thing, to prevent bruteforcing in common, is to make a
> log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side
> implemented.
> Best wishes,
> Simon
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20111214/a29c5f13/attachment.html>

More information about the Owncloud mailing list