Forum OpenACS Development: Security Issue? Session Identifier Not Updated

Hi,

We've got two posting on our ]project-open[ SourceForge tracker that I've only discovered today as I'm reviewing everything before an upcoming ]po[ V5.0 release:

https://sourceforge.net/p/project-open/discussion/295937/thread/d62fce3e/
and
https://sourceforge.net/p/project-open/discussion/295937/thread/fa59375d/

I'm not sure if these issues already influenced OpenACS 5.9.

The first one seems valid to me on first sight, while we weren't capable to reproduce the 2nd one. Also, we had quite an intensive security audit by a Washington cyber-war company in March, and these issues didn't come up. (There were a few other ones, which I communicated privately to Gustaf).

Cheers,
Frank

Collapse
Posted by Gustaf Neumann on
Hi Frank,

These reports are more than two years old (may 2014)! On which version of OpenACS was PO based on at this time?

The issue with the refreshing_p in ad_forms was fixed in march 2014 [1], the session_ids are secured via signatures since july 2014 [2]. The xss and session_id security was checked various times since then, including leading open source tools (such as w3af) or commercial tools (acunetix), we have also regular security scans of our production site by a an external company.
so i doubt there are still issues, When you get vulnerability cans of recent versions indicating differently, please let me know (including the used tools) asap.

-g

[1] http://fisheye.openacs.org/changelog/OpenACS?cs=oacs-5-8%3Agustafn%3A20140301145440
[2] http://fisheye.openacs.org/changelog/OpenACS?cs=oacs-5-8%3Agustafn%3A20140729225428

Collapse
Posted by Frank Bergmann on
Hi Gustaf,

Thanks a lot for the reply.

I was neither aware of the refreshing_p issue nor of the fix. I did read about the signature for session_id, but didn't understand the relevance to this issue.

I'll cross-link this answer from our forums. I'll also post an advisory for ]po[ V4.0 now.

Cheers,
Frank

Collapse
Posted by Gustaf Neumann on
The change [2] is not doing, what the poster suggests, but it avoids many threads concerning stealing and manipulating session_ids. The session_id management in OpenACS is quite tricky and differs from many other framework, since it involves the interplay with other cookies as well. So, at least some attacks on session_ids from other frameworks don't necessarily apply as well on OpenACS.

OpenACS 5.9.0 fixes many more other attack vectors related with cross site scripting. The forthcoming OpenACS 5.9.1 addresses more injection attacks (both cross site scripting and SQL injection) identified with newer scanning and provides as well framework support for CSRF attacks (cross site request forgery)