[Owncloud] Session hijacking vulnerability caused by time based token-generation.
mail at seetheprogress.com
Wed Dec 14 14:18:34 UTC 2011
Changed the versionnumber on the homepage. A new homepage is sort of in the
Am 14.12.2011 15:15 schrieb "Smoes Orino" <smoesorino at googlemail.com>:
> Hey Robin,
> at the first look that is a fix that prevents people from exploiting the
> mentioned, but I think it opens a few new security questions, I dont know
> how relevant they are but:
> - XSS attacks to obtain sessionID open the chance to brute force the
> password offline
> - A man in die middle attack is even worse, because one could get an
> exact timestamp
> Why not use md5(time().user.someRand())? That would raise the possible
> tokens to the rand intervall and lets say for a rand within 10^5 bruteforce
> attacks will be impossible.
> Another important thing, to prevent bruteforcing in common, is to make a
> log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side
> Best wishes,
> Owncloud mailing list
> Owncloud at kde.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owncloud