OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gonçalo Gomes (goncalomicroeuropa.pt)
Date: Wed Nov 28 2001 - 21:16:53 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     Abstract:
     ---------

            TWIG is a popular free application framework. Some of its features
            are Webmail (through IMAP), Newsgroups (usenet), Bookmarks,
            ToDo Lists, etc.

     Problem Scope:
     --------------

            The default configuration of TWIG has no login security options
            enabled. Whenever a person logins to a webmail service running
            TWIG to check his E-mail, Usenet or any other kind of possible
            uses TWIG may have, may lead to insecure storage of password in
            cookies if the user doesn't issue logout. The password is stored
            in plain text within some other rawurlencode()'d data.

            An example of a cookie caught by Microsoft (C) Internet Explorer:

            twig_authenticated
            %3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A14%3A%22_MY_USER_NAME_%22
            %3Bs%3A8%3A%22password%22%3Bs%3A13%3A%22_MY_PASSWORD_%22%3B%7D
            some.server.com

            I wrote a litle php script to decode this data to make things
            more clear:

            <?
                    echo rawurldecode("%3A2%3A%7Bs%3A8%3A%22username");
                    echo rawurldecode("%22%3Bs%3A14%3A%22_MY_USER_NAME_%22%3Bs");
                    echo rawurldecode("%3A8%3A%22password%22%3Bs%3A13%3A");
                    echo rawurldecode("%22_MY_PASSWORD_%22%3B%7D");
            ?>

            And the results:

            :2:{s:8:"username";s:14:"_MY_USER_NAME_";s:8:"password";s:13:
            "_MY_PASSWORD_";

            However, the username and password are always in plain text.

     FIX:
     -----
            For Admins:

                    Pick your favorite text editor and edit the file
                    <twig-prefix>/config/config.php (or possibly .php3)
                    change the following values:

                    Change:
                    $config["security"] = "basic";
                    To:
                    $config["security"] = "advanced"; // be paranoid

                    And:

                    $config["login_handler"] = "cookie";
                    To:
                    $config["login_handler"] = "securecookie.php4session";

                    Or check the other options described in TWIG documents.

            For Users:

                    Try to reproduce this bug. If you get your username
                    and password written in plain text on your Webmail
                    session cookies.

                    1- Alert your Webmail Service Admin.
                    2- Always logout (no matter what!)
                    3- Make sure when you logout, there's no cookie file
                       containing any private information, regarding your
                       session during the use of TWIG.

     Contacts:
     ----------
            - The author was contacted at Wednesday, November 28, 2001
              4:05 PM and a reply was received after 20 minutes.

            - Some institutions who were caught running TWIG with this
              misconfiguration were alerted and fixed the problem.

     Acknowledgments:
     ----------------
     - Christopher Heschong <chrisscrewdriver.net>
            For the fast response and for pointing me to the obvious
            options.

     - AL Research Group

     Relevant Links:
     ---------------

     Twig Website
            http://screwdriver.net/twig/
     PHP
            http://www.php.net

     Best regards,
     -Gonçalo.