Forum OpenACS Development: Session Identifier Not Updated

Collapse
1: Session Identifier Not Updated
Posted by Vijay Deshmukh on 07/24/14 12:37 PM
Hi,
I'm working on project-open..
During the scanning of this project,
I got the following vulnerability:

[Medium] Session Identifier Not Updated

Issue: 13800882

Severity: Medium

URL: https://<server_name>/register/

Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,allowing the hacker to view or alter user records, and to perform transactions as that user

Fix: Do not accept externally created session identifiers

In /acs-tcl/tcl/security-procs.tcl file, it is mentioned that ad_session_id has no security, is there any way to secure this ?

http://wiki.tcl.tk/12423 here it is written that how to handle session,can we use it ?

please let me know any more information is needed.

regards,
Vijay

Collapse
2: Re: Session Identifier Not Updated (response to 1)
Posted by Gustaf Neumann on 07/24/14 04:01 PM
The session cookie is not secured, but the login cookie is. One can't do much with the session cookie alone for logged-in users. What are the threats? Is there any evidence that this diagnosis is not a false positive?

We had several security audits over the last year, some of these lead to improvements of the securing of the login cookie (e.g. binding to ip addresses).

Collapse
3: Re: Session Identifier Not Updated (response to 2)
Posted by Vijay Deshmukh on 07/25/14 01:52 PM
Thank you so much for the reply.

the application is scanned using IBM AppScan. and the diagnosis is legit.

the result shows that the session identifier is not getting update. and the scan also gave hint to resolve this issue i.e. don't accept the session externally.

Collapse
4: Re: Session Identifier Not Updated (response to 3)
Posted by Gustaf Neumann on 07/26/14 01:39 AM
Vijay,

Are you able to rerun the scan with the newest version from the oacs-5-8 branch?

I've modified the code to change the session_id when a user logs in. I think this was the case that AppScan was referring to it. Although I still think that OpenACS is not vulnerable to session_id attacks for logged in users, the change does not hurt and makes attacks probably harder.

Collapse
5: Re: Session Identifier Not Updated (response to 4)
Posted by Vijay Deshmukh on 07/28/14 08:51 AM
Gustaf,
Thank you for the reply.

May be you are right that the oacs version I'm having in the project open application is not the latest one. But I can't upgrade it as I'm not sure whether it will be compatible with the application.
Having said that, Can you share the file name and part of the code here, which is responsible for changing the sessoin_id when a user logs in?
And one more thing, In the issue it is stated that "don't accept the external session_id", what does this mean?
Please shade some light on this if possible?

Regards,
Vijay

Collapse
6: Re: Session Identifier Not Updated (response to 5)
Posted by Gustaf Neumann on 07/28/14 10:00 AM
May be you are right that the oacs version I'm having in the project open application is not the latest one.

i haven't mentioned anything is this direction. The change [1] is in acs-tcl/tcl/security-procs.tcl and adresses the regeneration of session-ids when the privilege level changes during login (recommended be owasp.org). You find material concerning "externally created session identifiers" on Wikipedia [2]. There are more possible attacks against session-ids, that are not handled in OpenACS, but these address only sessions of not-logged-in users. As soon a user is logged in, the login cookie secures the session-ids strongly. Security checkers looking only at the session-id will generate false positives.

-gn

[1] http://cvs.openacs.org/changelog/OpenACS?cs=oacs-5-8%3Agustafn%3A20140725233311
[2] http://en.wikipedia.org/wiki/Session_fixation

Collapse
7: Re: Session Identifier Not Updated (response to 4)
Posted by Klaus Hofeditz on 07/28/14 10:05 AM
Hi Gustaf,
I thought of stepping in to help out.

From what I can see its probably the following patch you are referring to:

Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.74.2.10 -r1.74.2.11
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 14 Feb 2014 19:38:26 -0000 1.74.2.10
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 25 Jul 2014 23:33:11 -0000 1.74.2.11
@@ -419,6 +419,12 @@
# the empty string
set prev_user_id [ad_conn user_id]

+ #
+ # Change the session id for all user_id changes, also on
+ # changes from user_id 0, since owasp recommends to renew the
+ # session_id after any privilege level change
+ #
+ #if { $prev_user_id != 0 && $prev_user_id != $new_user_id }
if { $prev_user_id != 0 && $prev_user_id != $new_user_id } {
# this is a change in identity so we should create
# a new session so session-level data is not shared

Can you please review? Seems that logic did not change.
Thanks!

Collapse
8: Re: Session Identifier Not Updated (response to 7)
Posted by Vijay Deshmukh on 08/01/14 09:14 AM
Thanks for the reply Klaus!!
Gustaf can you please comment on this?
Collapse
9: Re: Session Identifier Not Updated (response to 8)
Posted by Gustaf Neumann on 08/01/14 09:37 AM
What do you expect me to comment on this? The change is the same change that i've commited 6 days ago to the code repository of OpenACS [1] noted in the posting nr 6 in this thread [2], posted 5 minutes before the posting of Klaus.

The question is rather, AppScan should stop complaining about using the same session id after the privilege change
-gn

[1] http://cvs.openacs.org/changelog/OpenACS?cs=oacs-5-8%3Agustafn%3A20140725233311
[2] https://openacs.org/forums/message-view?message_id=4169882