Issue #298 has been updated by Matthias Ganzinger.
Hello Clément, thanks for your reply. I investigated the problem a little further. Obviously, the reason why in my case cookies were set _after_ the headers were sent is the activation of output buffering. I am using OpenSUSE 11.3 and on this system output_buffering is set to 4096 by default. If I change this setting to 0 I also get the log entry you cited and no cookies are sent. Perhaps it is not the cleanest way to use start_session() without checking if any output buffering is active. Another option would be to encrypt the SID sent by email e.g. using my enctoken function. At least, I suggest to include a warning note into the documentation. Regards, Matthias ---------------------------------------- Bug #298: security issue in email password reset http://tools.lsc-project.org/issues/298 Author: Matthias Ganzinger Status: Assigned Priority: High Assigned to: Clément Oudot Category: Self Service Password Target version: self-service-password-0.5 Anybody, who knows the username and email address of another user can reset that persons password *without having access to the corresponding email account.* The reason for this is the us of the php session id as the email token. The session id is regularly sent to the requester's web browser as a cookie. However, the requestor does not necessarily have to be the owner of the account to be reset. The requester can easily read the session id from his browsers cookie store and compose a valid reset url without having access to the email sent to the account owner. To cope with this problem, I propose the following: * Do no longer use the php session id as the token * instead, use an ancrypted token. The encryption key must only be stored on the server. The token will not be sent to the webbrowser. * The token might contain the login name and a timestamp. This has the additional benefit of a token lifetime that is independent of the php session life time I did a proof of concept implementation of my suggestion: In file config.inc.php I added two parameters: <pre> # secret to encrypt email token $keyphrase = "secret"; #lifetime (in seconds) of token for email password reset $token_lifetime = 60*60 </pre> In file functions.inc.php I added two functions for encrypting (AES256) / decrypting and base64 encoding / deconding the token: <pre> function enctoken($token) function dectoken($token) </pre> In File sendtoken.php the token is generated in section "Send token by mail": <pre> # create the token $token = time() .";" . $login; $enctoken = enctoken($token); # Build reset by token URL $method = "http"; if ( $_SERVER['HTTPS'] ) { $method .= "s"; } $server_name = $_SERVER['SERVER_NAME']; $script_name = $_SERVER['SCRIPT_NAME']; $reset_url = $method."://".$server_name.$script_name."?action=resetbytoken&token=".$enctoken; </pre> Finally, in file resetbytoken.php the token is validated in section "Get token": <pre> $dectoken = dectoken($_REQUEST["token"]); $tokentime = strstr($dectoken, ';', true); $login = substr($dectoken, strpos($dectoken, ';')+1); </pre> and the token lifetime is checked: <pre> if ( time() - $tokentime > $token_lifetime ) { $result = "tokennotvalid"; error_log("Token lifetime expired"); } </pre> Thank you for your nice library! I hope my suggestions are helpful. Kind regards, Matthias -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
