[TYPO3-core] RFC #9384: FE session hijacking

Dmitry Dulepov [typo3] dmitry at typo3.org
Thu Sep 18 21:00:09 CEST 2008


Hi!

This is SVN patch request.

Type: bug

Branches: trunk, 4.2, 4.1

BT reference: http://bugs.typo3.org/view.php?id=9384

Problem: typo3/sysext/tslib/class.tslib_feuserauth.php limits session id to 10 characters. Session id is a md5 value and that class just makes substr() thus breaking md5 integrity. If there are two users, whose IP addresses are from similar networks and md5 caches are similar, session hijacking will happen.

Solution: drop 10 characters limit and use full 32 characters of md5 like it is done for Backend.

Notes: I have this problem on a real site. It is very rare, so not a real security issue. But it exists and I want to get rid of it. Users do not really like to see when they are logged in as someone else. I modified code on my server and it runs ok with this one line fix.

-- 
Dmitry Dulepov
TYPO3 Core team
My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
In the blog: http://typo3bloke.net/post-details/tag_your_typo3_extension_releases_in_svn/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 9384.diff
Type: text/x-diff
Size: 918 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20080918/2116e7f0/attachment.diff 


More information about the TYPO3-team-core mailing list