BugTraq
Back to list
|
Post reply
Claroline 1.7.2, sso identification vulnerability
Jan 20 2006 05:27PM
karmaguedon hotmail com
hi,
this is what we can read in file "/claroline/inc/claro_init_local.inc.php" :
[...]
$ssoCookieValue = md5( mktime() );
$sql = "UPDATE `".$tbl_sso."`
SET cookie = '".$ssoCookieValue."',
rec_time = NOW()
WHERE user_id = ". (int) $_uid;
$affectedRowCount = claro_sql_query_affected_rows($sql);
if ($affectedRowCount < 1)
{
$sql = "INSERT INTO `".$tbl_sso."`
SET cookie = '".$ssoCookieValue."',
rec_time = NOW(),
user_id = ". (int) $_uid;
claro_sql_query($sql);
}
$boolCookie = setcookie($ssoCookieName, $ssoCookieValue,
$ssoCookieExpireTime,
$ssoCookiePath, $ssoCookieDomain);
[...]
so, the cookie value must be always unknown.
in this code, the cookie value is the md5 value of the connection time ! really unknown ? no.
solution :
desactivate sso service
or
replace mktime() by rand(100,1000000) (for e.g)
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
this is what we can read in file "/claroline/inc/claro_init_local.inc.php" :
[...]
$ssoCookieValue = md5( mktime() );
$sql = "UPDATE `".$tbl_sso."`
SET cookie = '".$ssoCookieValue."',
rec_time = NOW()
WHERE user_id = ". (int) $_uid;
$affectedRowCount = claro_sql_query_affected_rows($sql);
if ($affectedRowCount < 1)
{
$sql = "INSERT INTO `".$tbl_sso."`
SET cookie = '".$ssoCookieValue."',
rec_time = NOW(),
user_id = ". (int) $_uid;
claro_sql_query($sql);
}
$boolCookie = setcookie($ssoCookieName, $ssoCookieValue,
$ssoCookieExpireTime,
$ssoCookiePath, $ssoCookieDomain);
[...]
so, the cookie value must be always unknown.
in this code, the cookie value is the md5 value of the connection time ! really unknown ? no.
solution :
desactivate sso service
or
replace mktime() by rand(100,1000000) (for e.g)
[ reply ]