Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[benlakaz]

SOmeones got my log in as admin.. I heard its session hijacking.. how will this be prevented?? Thanks

[Danny696]

Secure your forums.

[strats]

I had this problem too and I have secure forums

[benlakaz]

Thanks for the advice. can you give me some tips how to do that?

[Cronus]

Use the free forums here on cronwerks.

[JoshuaDams]

session hijacking can also be done via Preferances.

Secure your preferances from people uploading non images.

[Spudinski]

Just don't allow session ID's in the url, apache(mod_rewrite) and php can do this, both very good.
It's simple to write a script to check this, or just change your PHP configuration file.

in php.ini, change the values to these:

Code: [Select]

session.use_trans_sid 0
session.use_only_cookies 1

script acces;
ini_set('session.use_trans_sid', 0);
ini_set(‘session.use_only_cookies’, 1);
or write the script:

Code: [Select]

<?php

if (isset($_GET['PHPSESSID'])) {
    $requesturi = preg_replace('/?PHPSESSID=[^&]+/',"",$_SERVER['REQUEST_URI']);
    $requesturi = preg_replace('/&PHPSESSID=[^&]+/',"",$requesturi);
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: http://".$_SERVER['HTTP_HOST'].$requesturi);
    exit;
}

?>

or .htaccess

Code: [Select]

<IfModule mod_rewrite.c>

RewriteEngine On
RewriteCond %{QUERY_STRING} PHPSESSID=.*$
RewriteRule .* %{REQUEST_URI}? [R=301,L]

</IfModule>
Reference: http://www.seomoz.org/ugc/removing-phpsessid-from-an-url

[JoshuaDams]

Spudinski part of how this 'hack' works is the following


Hacker logs in, goes to Preferances finds "display picture or Signature"

The insert a query involving staff_special.php (the same query the Admin does when he changes a users_level in that file.

Then when an Admin views their profile, poof they just made that user an Admin w/o their knowledge.

Another way to do it is using <meta tag> refreshes in Player reports, or refreshes in Forums.

Also, if their IP isnt secured they use a firefox add-on that re-directs IP stuff using a code like 2', user_leve='2 in the add-on.  That sets them admin as well.

Forums/cmarket most have figured out how to secure now, there are to many loop holes to fix with McCodes

Personally I did the following

Validate an Imagesize on your preferances for Display Picture
Use htmlspecialchars/entities/MRES on signatures
On viewuser where the output is given strip tags with htmlspecial chars etc where needed.

Change your staff files or put them in a folder and change links in scripts as needed.

I changed my user_level system completely, no longer have user_level in my game it goes off something differant.

Staff Password protection on all files

Have a script in header as well

Works as such, in the database, i set a "admin password" in my users table.  If they are admin, the header checks to see if that user has a admin password in the database, if they dont it auto feds them.

You can take an extra step here if you have a solid IP and use it to check that users IP address to, set an IP in a folder on your cpanel and if that users IP doesnt match the IPS you have set as Admins it bans them as well, although most users dont have a static IP that becomes a little more touchy.

Hope some of that helped.

[Spudinski]

Please don't explain to me what something is, I do know what it is, really.
Session hijacking is normally done another way around, not what any of you refer to, what you guys refer to is either XSS and SQL Injections(not even blind ones).

So I'll explain Session Hijacking to you Immortalthug, just so also know what it really is, and what I posted previously for.
Okay, so a session_id is a code that is assigned to you by the web server, it's stored in a php directory on the server.
When a new user visits a page, the server creates an unique session_id for the client, and it is saved in a folder on the server AND either in a cookie or in the URL.
A session_id remains on the server for quite some time, depending on the configuration of the server.

If someone catches that url, it can immediately used to disguise that user as the one whom the session_id was generated for in the first place, and viola administrator privileges.
Try doing a search on google with; inurl:"PHPSESSID=", you will be amazed with what you come up with.

[JoshuaDams]

Right but people are confusing "admin hacks" with Session hacks.

What i listed is not a URL injection, well one or two isnt, and one is an Off Site re-direct using htaccess to configure a shell upload.

[Spudinski]

Such as an common XSS attack, because no-one can edit the .htaccess without direct access to the filesystem.

[JoshuaDams]

It's not editing yours it's there

example


You have a site where display pics are URLS.

Hacker has a free Host Site

Hacker edits his .HTACCESS file to change .gif to .php

Hacker uploads badcode.gif to his server. 

Hacker uses hackerssite.com/badcode.gif as his "url"

Hacker then puts the badcode.gif as his url in display picture

Code in the .gif being something like

$db->query("TRUNCATE TABLE users");

Oops.....

[mentaljason]

renaming the user_level field to something else seems the best way but it would be a nusnace to go though every file and replace the user_level bit :p lol might do it, good suggesting immortalhug :p

[Danny696]

You dont need to change the user_level part, if your site is secure, it wont need to be changed, and the first thing i did when i got my game, was change user_level.

[Spudinski]

No offense to you in any way, Immortalthug.
But HTML is incapable of executing any form of script or command phrase.
The attempted "hacker" must be a real idiot to try something like that, because it simply just would not work, and it's very easily detectable in any case.

Let me explain to you, as it seems you lack the sufficient knowledge to grasp this theory.
Firstly we are discussing Session Hijacking, not some sort of XSS attempt.
Secondly, if I have a server, the only possible way I would run any form of code of the other server, is through a include(), or require() function.
Even file_get_contents() will NOT execute the script of the other server, to make that function do anything, you would have to enclose the function in either exec() or eval(), which nobody with two braincells would do anymore.

The picture will just render incorrectly, or trough out an invalid image error in the users browser, although it is possible for the users browser to get infected by a vulnerability in either the PC or the browser's image rendering system.

So s'kiddies, this won't work, by now most websites verifies their images that are uploaded, and images has a specific header, and contents to go with it - bad luck for you.