Hello! When using HTTP as transport with a public SyncML server, attackers can send messages to the server while a sync runs. If they manage to do that so that the server believes that the message came from the client it wants to talk to, then the session could be hijacked or (more likely) the server will get so confused that the sync fails.
What protection mechanism are in place to prevent this? My understanding is that servers create a random session ID and accept all messages addressed to a URL which contains that session ID (Funambol: <RespURI> http://my.funambol.com/sync;jsessionid=EBEB550AE4C588DE559F4253E3FCEC19.NODE01 </RespURI>; Synthesis: <RespURI> http://www.synthesis.ch/sync2?sessionid=4561864950208023213 </RespURI>). So the session ID should be truly unpredictable, because the security of the session depends on it, correct? Does the Synthesis engine create the number itself? At the very least it needs to know it or the response URI, so that it can encode it in the outgoing message. There's also a SessionID inside the SyncHDR. It's a lot shorter (Synthesis: <SessionID>68</SessionID>) and chosen by the client. Does the Synthesis engine really do much with this value? How is it created with libsynthesis as client? HTTPS is only partly a solution. It prevents reading the response message during transmission, but unless strict client certificate checking is enabled, injecting messages is still possible. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. _______________________________________________ os-libsynthesis mailing list os-libsynthesis@synthesis.ch http://lists.synthesis.ch/mailman/listinfo/os-libsynthesis
