Re: Invision Power Board v2.1.4 - session hijacking

2006-03-20 Thread Hans Wolters
Matt, On 17-mrt-2006, at 10:26, [EMAIL PROTECTED] wrote: p.s. ^^^ that email address does not work, and earlier reply got bounced. My problem with this report is this: 1) You've not even read the IPB code. You've stated elsewhere that "using sessions in the URL may appear in JS pop-up wi

Re: Invision Power Board v2.1.4 - session hijacking

2006-03-20 Thread Bill Nash
On Thu, 16 Mar 2006, [EMAIL PROTECTED] wrote: This report is ridiculous and quite frankly shows that the author does not understand how IPB works. Yes, the author is correct in finding that if you: copy the user's IP address, copy the user's user-agent and copy the user's session ID then th

Re: Invision Power Board v2.1.4 - session hijacking

2006-03-20 Thread exon
Please don't take this discussion off-list. You need to hit the "Reply to all" button in your Mozilla mailer. Hans Wolters wrote: Hans Wolters wrote: Matt, But you still need to see the session-id to be able to hijack the session, and for that you need to see someones desktop. Once yo

Re: Invision Power Board v2.1.4 - session hijacking

2006-03-20 Thread exon
Hans Wolters wrote: Matt, On 16-mrt-2006, at 15:55, [EMAIL PROTECTED] wrote: This report is ridiculous and quite frankly shows that the author does not understand how IPB works. Yes, the author is correct in finding that if you: copy the user's IP address, copy the user's user-agent and c

Re: Re: Invision Power Board v2.1.4 - session hijacking

2006-03-20 Thread matt
Hans, My problem with this report is this: 1) You've not even read the IPB code. You've stated elsewhere that "using sessions in the URL may appear in JS pop-up windows". IPB does NOT do this. IPB removes the session ID for all links, including JS code when cookies are enabled. 2) You're miss

Re: Invision Power Board v2.1.4 - session hijacking

2006-03-16 Thread Hans Wolters
Matt, On 16-mrt-2006, at 15:55, [EMAIL PROTECTED] wrote: This report is ridiculous and quite frankly shows that the author does not understand how IPB works. Yes, the author is correct in finding that if you: copy the user's IP address, copy the user's user-agent and copy the user's sessio

Re: Invision Power Board v2.1.4 - session hijacking

2006-03-16 Thread matt
This report is ridiculous and quite frankly shows that the author does not understand how IPB works. Yes, the author is correct in finding that if you: copy the user's IP address, copy the user's user-agent and copy the user's session ID then they can "hijack" your session. That's because, to

Re: Invision Power Board v2.1.4 - session hijacking

2006-03-16 Thread Peter Conrad
Hi, On Tue, Mar 14, 2006 at 07:32:16PM +0100, Hans Wolters wrote: > > Once you visit a site where Invision Board is used the first click on > the Log In link points the visitor to a link with the session id in it: > > index.php?s=&act=Login&CODE=00 > > If you copy this session id, login and s