Forum OpenACS Development: Re: Session Identifier Not Updated

Collapse
3: Re: Session Identifier Not Updated (response to 2)
Posted by Vijay Deshmukh on 07/25/14 01:52 PM
Thank you so much for the reply.

the application is scanned using IBM AppScan. and the diagnosis is legit.

the result shows that the session identifier is not getting update. and the scan also gave hint to resolve this issue i.e. don't accept the session externally.

Collapse
4: Re: Session Identifier Not Updated (response to 3)
Posted by Gustaf Neumann on 07/26/14 01:39 AM
Vijay,

Are you able to rerun the scan with the newest version from the oacs-5-8 branch?

I've modified the code to change the session_id when a user logs in. I think this was the case that AppScan was referring to it. Although I still think that OpenACS is not vulnerable to session_id attacks for logged in users, the change does not hurt and makes attacks probably harder.

Collapse
5: Re: Session Identifier Not Updated (response to 4)
Posted by Vijay Deshmukh on 07/28/14 08:51 AM
Gustaf,
Thank you for the reply.

May be you are right that the oacs version I'm having in the project open application is not the latest one. But I can't upgrade it as I'm not sure whether it will be compatible with the application.
Having said that, Can you share the file name and part of the code here, which is responsible for changing the sessoin_id when a user logs in?
And one more thing, In the issue it is stated that "don't accept the external session_id", what does this mean?
Please shade some light on this if possible?

Regards,
Vijay

Collapse
6: Re: Session Identifier Not Updated (response to 5)
Posted by Gustaf Neumann on 07/28/14 10:00 AM
May be you are right that the oacs version I'm having in the project open application is not the latest one.

i haven't mentioned anything is this direction. The change [1] is in acs-tcl/tcl/security-procs.tcl and adresses the regeneration of session-ids when the privilege level changes during login (recommended be owasp.org). You find material concerning "externally created session identifiers" on Wikipedia [2]. There are more possible attacks against session-ids, that are not handled in OpenACS, but these address only sessions of not-logged-in users. As soon a user is logged in, the login cookie secures the session-ids strongly. Security checkers looking only at the session-id will generate false positives.

-gn

[1] http://cvs.openacs.org/changelog/OpenACS?cs=oacs-5-8%3Agustafn%3A20140725233311
[2] http://en.wikipedia.org/wiki/Session_fixation

Collapse
7: Re: Session Identifier Not Updated (response to 4)
Posted by Klaus Hofeditz on 07/28/14 10:05 AM
Hi Gustaf,
I thought of stepping in to help out.

From what I can see its probably the following patch you are referring to:

Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.74.2.10 -r1.74.2.11
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 14 Feb 2014 19:38:26 -0000 1.74.2.10
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 25 Jul 2014 23:33:11 -0000 1.74.2.11
@@ -419,6 +419,12 @@
# the empty string
set prev_user_id [ad_conn user_id]

+ #
+ # Change the session id for all user_id changes, also on
+ # changes from user_id 0, since owasp recommends to renew the
+ # session_id after any privilege level change
+ #
+ #if { $prev_user_id != 0 && $prev_user_id != $new_user_id }
if { $prev_user_id != 0 && $prev_user_id != $new_user_id } {
# this is a change in identity so we should create
# a new session so session-level data is not shared

Can you please review? Seems that logic did not change.
Thanks!

Collapse
8: Re: Session Identifier Not Updated (response to 7)
Posted by Vijay Deshmukh on 08/01/14 09:14 AM
Thanks for the reply Klaus!!
Gustaf can you please comment on this?
Collapse
9: Re: Session Identifier Not Updated (response to 8)
Posted by Gustaf Neumann on 08/01/14 09:37 AM
What do you expect me to comment on this? The change is the same change that i've commited 6 days ago to the code repository of OpenACS [1] noted in the posting nr 6 in this thread [2], posted 5 minutes before the posting of Klaus.

The question is rather, AppScan should stop complaining about using the same session id after the privilege change
-gn

[1] http://cvs.openacs.org/changelog/OpenACS?cs=oacs-5-8%3Agustafn%3A20140725233311
[2] https://openacs.org/forums/message-view?message_id=4169882