MyBB Community Forums

Sorry, if this is sounds like a suggestion thingie,
i'm still tendence post it here coz it is more like a bug for me, and i hope developer team can fix this on next version.

---------------
Dear MyBB Group,

I want to report some kind of bugs, uhm no, it's not really a bugs i think,
Im using your latest version, 1.4.8,. and it's workin good.
ok, let say this is just a low level in critical security.
It's all about Mybb's cookie,. the way it created with my_setcookie for keyname mybbuser,
i think it's very easy for user to exchange their cookie just to make authorization and get login.

mmphh, sorry my bad english . --__--''

ok,. here's the thing i founded when i'm encountering the problem,.
my friend (on the same board with me) gimme his mybbuser cookie,. and i'm tryin to use that by injecting cookie to Opera or Firefox with Cookie Editor or wotsoever,. and bang,. im in, with my friend's ID.

U might not see this as a big problem, dont you?, but errr, a couple day ago, one of staff moderator in my forum, got hacked,.
someone else use his ID, and posting a weird thing. Leak VIP stuff, steall it, and moreover,. And my friend denied that he do that.
i dont know which is trigger this problemo,.
maybe this is human error with my staff,
or maybe this human error (again) that my staff got keylogger or trojan,

no matter wot/how it is, i think i'd just offer you some good solution for these,.
the way to create mybbuser cookie with mysetcookie,
is not secure enough if we just joining userID."_".loginkeyHash
maybe there's another better solution but this is one of my way patching the board just to prevent user exchange their cookie, or stolen by accident with keyloger or some kind like that.
Thx God, (well, i hope) there's no XSS left on this version, .. :o

some function that i need, placed in function.php
:
/*-------------------*/
--Declined--

Thanks,. for ya attention,.
keep rockin' ,. \m/

Salam,.
::Idx.

I don't see how this is a bug, Idoenk. This 'bug' would involve a user being hacked or them giving their cookie to someone - either of which MyBB is powerless to prevent.

Either way, I also don't see how your code is any stronger. Is it not just another method of creating a random string? Who's to say if your cookie code can't just be taken...

Hmm what if I pick up those new strings as well and inject them into firefox or opera. It would still work. So the best way to prevent this is to logout when you are in public places

If I understand the code right, it adds a check for the users IP and User Agent. So it's kind of a "restrict session to this machine" mechanism. It'd certainly help prevent someone using a stolen cookie, but if MyBB behaved that way by default, I'd have to re-login every day since my ISP changes my IP once every 24 hours, so it's not suitable for me. It may be suitable for people who have static IPs though. Some forum systems offer this as an option checkbox you can tick before pressing the login button.

MyBB simply does not use a strict session system, that's all - while it is less secure than for example an Online Banking session (which logs you out for good if you're inactive for 15 minutes or when you press logout), on the other hand such a lax system is required for comfort (forum users don't want to have to re-login every 15 minutes).

It's not insecure in the sense that others can guess your cookie. They can do that only if they obtain your login key, which they should not be able to in the first place. If they do obtain your login key, without you knowing that they did obtain it, then you have a problem because the login key stays valid for a very long time ... until the user changes his password in fact.

So this is more a feature request than a security issue. The feature requests being:

- add "restrict session to IP" option on Login (requires IP being incorporated into the hash / random string somehow)
- add "end all other sessions too" option to Logout (requires loginkey to be changed on logout)
- add "end my session after X minutes/hours of absence" option (requires task which changes loginkeys for users with lastvisit < X)

This way a user could obtain an online banking style session mechanism for his user account... well actually online banking systems do lots more stuff, but there's no point in going that far for a forum system.

(2009-08-10, 09:31 AM)Pirata Nervo Wrote: [ -> ]Hmm what if I pick up those new strings as well and inject them into firefox or opera. It would still work. So the best way to prevent this is to logout when you are in public places

no, It is not. have you (sorry), try it before make that statement?
I have test that on my board,.
and force injecting cross-browser should not workin.
besides, i mix that with user's ip too :p, so this should be lil unique.
well, the cookie indeed getting worse, it longer than before..

@Tomm,.
Uhm,.. Is that you mean, it is an ordinary thing when user can have another authoration way to login beside using user:pass .

remind me to Friendster cookie-stealling, dont u think this would the same case,.

---

If someone wants to give out their cookies that's sort of their own problem. Making a login for one IP/useragent would be annoying to people like me who use the internet from numerous places and even numerous browsers.

We have this sort of protection for the Admin CP where it is more necessary but I can't see this coming down to general logging in. But that's just my opinion.

(2009-08-10, 10:06 AM)Idoenk Wrote: [ -> ]

(2009-08-10, 09:31 AM)Pirata Nervo Wrote: [ -> ]Hmm what if I pick up those new strings as well and inject them into firefox or opera. It would still work. So the best way to prevent this is to logout when you are in public places

no, It is not. have you (sorry), try it before make that statement?
I have test that on my board,.
and force injecting cross-browser should not workin.
besides, i mix that with user's ip too :p, so this should be lil unique.
well, the cookie indeed getting worse, it longer than before..

@Tomm,.
Uhm,.. Is that you mean, it is an ordinary thing when user can have another authoration way to login beside using user:pass .

remind me to Friendster cookie-stealling, dont u think this would the same case,.

---

No I didn't try it,I just read some parts of your code actually but I see your point now

Gee, frostschutz just read my mind,. o_O"
yeah i guess im requesting optional stuff like that feature, if that would not be neccessary for pepl in common. or maybe we dont need to mix the ip to generate new cookie,.
or else, anything but the unexpired plain loginkey . >,<.

but errgh, it's ok, nevermind.
it's too strict for checking cookie like this .
Thx.

You can expire the loginkey yourself, by changing your password (even by changing your password to the password you already have). So it's not like you don't have any countermeasures... if someone assumes that someone else is using his account, password change is what is to be done first anyway.

Ok, it's work. changin password even with the same user:pass, bring loginkey regenerated, assuming the account has stolen its cookie.
Thanks again for ya'all guys.

just ignore wot im suggesting here. ..