[Owncloud] Session hijacking vulnerability caused by time based token-generation.
Michael Grosser
mail at seetheprogress.com
Wed Dec 14 14:18:34 UTC 2011
Changed the versionnumber on the homepage. A new homepage is sort of in the
works...
Cheers michael
Am 14.12.2011 15:15 schrieb "Smoes Orino" <smoesorino at googlemail.com>:
> Hey Robin,
>
> at the first look that is a fix that prevents people from exploiting the
> mentioned, but I think it opens a few new security questions, I dont know
> how relevant they are but:
>
> - XSS attacks to obtain sessionID open the chance to brute force the
> password offline
> - A man in die middle attack is even worse, because one could get an
> exact timestamp
>
> Why not use md5(time().user.someRand())? That would raise the possible
> tokens to the rand intervall and lets say for a rand within 10^5 bruteforce
> attacks will be impossible.
>
> Another important thing, to prevent bruteforcing in common, is to make a
> log-in penality. Lets say 10 sec penalty after 3 failed logins, server-side
> implemented.
>
> Best wishes,
> Simon
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20111214/a29c5f13/attachment.html>
More information about the Owncloud
mailing list