[CKAN-Security] Auth_tkt Cookie Spoofing

• Previous message: [CKAN-Security] Auth_tkt Cookie Spoofing
• Next message: [CKAN-Security] TEST to SECURITY
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cookie spoofing is an unwinnable battle. Every parameter you can check
against can be spoofed, so it's mostly up to the client to protect the
cookies. Using HTTPS everywhere is the #1 preventing for cookie spoofing.

The most useful things you can do to mitigate cookie spoofing are:

1. Include a IP in the session, and verify the IP address against requests.
Note IPs can still be spoofed, especially if trusted headers are
misconfigured on proxies. User-agent and a few other common headers are
also good to hash.
2. Include a timestamp and invalidate + reissue session IDs frequently.
This minimizes the duration in which sid links and stolen cookies are
useful.
3. Require rentering passwords ("sudo mode") for any kind of destructive
act (package deletion, account deleting).

On Thu, Aug 1, 2019 at 10:00 AM Ian Ward <ian at excess.org> wrote:

> Thank you for keeping on us about this Shubham,
>
> What do you see as an appropriate fix? Should we be recording the log
> out on the server side and verifying the cookies against the database
> on every page view? Would enforcing a time limit on cookies be good
> enough instead?
>
> Ian
>
> On Mon, Jul 22, 2019 at 5:00 AM Shubham Mahajan
> <mr.shubhammahajan at gmail.com> wrote:
> >
> > Hi Team
> >
> > I am really looking forward to an update in the form of an
> acknowledgement or a timeline to fix.
> >
> >
> >
> > On Sun, Jun 30, 2019 at 8:23 PM Shubham Mahajan <
> mr.shubhammahajan at gmail.com> wrote:
> >>
> >> Hi Adrià,
> >>
> >> I have tested this scenario with different methods and want to discuss
> with your team.
> >> Let me know if you have any questions.
> >>
> >>
> >> On Tue, Mar 12, 2019 at 5:00 PM Shubham Mahajan <
> mr.shubhammahajan at gmail.com> wrote:
> >>>
> >>> Hi Adrià,
> >>>
> >>> Any update on the below one?
> >>>
> >>> On Tue, Feb 19, 2019 at 5:51 PM Adrià Mercader <
> adria.mercader at okfn.org> wrote:
> >>>>
> >>>> Thanks for the report Shubham,
> >>>> The tech team will assess this and come back to you as soon as
> possible.
> >>>>
> >>>> Best Regards,
> >>>>
> >>>> Adrià
> >>>>
> >>>>
> >>>> On Tue, 19 Feb 2019 at 14:15, Shubham Mahajan <
> mr.shubhammahajan at gmail.com> wrote:
> >>>>>
> >>>>> Hi Team,
> >>>>>
> >>>>> I was going through my project and found out security issue in the
> CKAN core.
> >>>>>
> >>>>> ### CKAN Version if known (or site URL)
> >>>>> ckan - 2.7.2 and https://demo.ckan.org/
> >>>>>
> >>>>> ### Please describe the expected behaviour
> >>>>> The cookie should be invalidated if it is copied from other location
> or other device or when the user logged out from the device.
> >>>>>
> >>>>> ### Please describe the actual behaviour
> >>>>> Once you logged into the CKAN, the cookie auth_tkt is generated. If
> I copy this cookie or the attacker got the cookie and open a fresh ckan
> portal and embedded the same cookie, its allowing to login to ckan portal.
> >>>>> Even if you logout and use the old cookie, it will allow you to
> login. Tested in demo.ckan.org also.
> >>>>>
> >>>>> ### What steps can be taken to reproduce the issue?
> >>>>> 1. Login to demo.ckan.org
> >>>>> 2. Copy auth_tkt cookie.
> >>>>> 3. Paste that cookie in any other machine or browser or private mode.
> >>>>>
> >>>>> It will log you in.
> >>>>>
> >>>>> *Even if you logout and login again and logout and use the old
> cookie, its still working.
> >>>>>
> >>>>> --
> >>>>> Regards,
> >>>>>
> >>>>> Shubham Mahajan
> >>>>>
> >>>>> _______________________________________________
> >>>>> CKAN security
> >>>>> https://lists.okfn.org/mailman/listinfo/security
> >>>>>
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
> >>>>>
> >>>>> Repo: https://github.com/ckan/ckan-security
> >>>
> >>>
> >>>
> >>> --
> >>> Regards,
> >>>
> >>> Shubham Mahajan
> >>>
> >>
> >>
> >>
> >> --
> >> Regards,
> >>
> >> Shubham Mahajan
> >>
> >
> >
> >
> > --
> > Regards,
> >
> > Shubham Mahajan
> >
> > _______________________________________________
> > CKAN security
> > https://lists.okfn.org/mailman/listinfo/security
> > https://lists.okfn.org/mailman/options/security/ian%40excess.org
> >
> > Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190801/441a4fad/attachment-0001.html>

• Previous message: [CKAN-Security] Auth_tkt Cookie Spoofing
• Next message: [CKAN-Security] TEST to SECURITY
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]