OK, I'm normally at my best when lured into something I can't stand not working

Full Session Protection SP1.3.x V1.1

This upgrade comprises of the changing of the following 6 scripts:
Load.pl
LogInOut.pl
Subs.pl
Profile.pl
AdminEdit.pl
YaBBC.pl
english.lng (as I needed to add an error line)

What has been changed ?

- header routine is now compatible with latest RFC's (equal to SP2)
- Redirect subs now also pass the cookie (which old code did not)
- Cookie handling now handled by a sub routine (borrowed from SP2)
- User validity is now checked on password and IP based static session id per login session
- All forms now have a hex encrypted dynamic session id which is also based on IP, but where the seed can be any random number between 0 and 99 so each pass the form session changes.
- User password in cookie is now dynamic and changes every logged in session based on 10000 possible random seeds.
- changed template subroutine not to load news.txt for every line in the template (which was stupid)
- image tag bug fix for bmp files
- image tag cannot hold action command to YaBB.

When does it react ?
1. if a user changes IP address he gets logged out
2. if a form holds a session value not related to the IP address from the user
3. if the form has no session value (as all should have one now using some smart regexing in the template subroutine)
4. if the cookie has been tampered with (so hijacking is useless)

Please test (as far as you can tingle with IP addresses and spoofed forms) and report any irregularities.

Version History
1.0
Original Release

1.1
Restricted img tag not to allow any action commands

mimit wrote on Sep 28^th, 2004 at 6:14pm:

Mmmm.... don't know I only encrypt the password that is in the cookie different so definitely not.

Jazhawk wrote on Sep 29^th, 2004 at 3:41pm:

Take your time as there are certainly coming changes and additions on this mod.

We are currently discussing what should be protected and what not without restricting users too much and withour contaminating the url with large yibberish session codes.
Allthough this discussion is hidden from the normal audience (while we discuss a lot of "better not show the public" methods to hack the board in there), all the brilliant minded YaBB guru's attend, so we have Michael from here, Unknown from the SMF team, a few of the SP2 devs and YaBB staff, and me trying to think of any devious action a cracker could take to undermine the board.
Sofar I think we have covered about 80% with the current version (like all form actions and misuse of the img tag), but there are some things we need to further discuss and test.
I am convinced that after we have finished with this major security overhaul YaBB in any version would be topping the list of "difficult to hack"

batchman wrote on Sep 29^th, 2004 at 7:49pm:

The only thing users with changing IP addresses loose is the "stay logged in" feature, which is a small price to pay compared to what I now know hackers can do to any YaBB currently running.
Not that the holes we found are huge and obvious, but as we progress in making YaBB more secure, so do the hackers to find new loopholes to get in or damage the board.
The good thing is that it gets the best out of developers as it is a constant race "good vs bad" but the bad thing is that it is open source software so it only takes downloading the latest version and looking at the code to see how to get around it.

I still like the challenge though

Yes, that is exactly what happens with AOL. AOL uses proxy servers and caches pages for faster retrieval. Here is some more info:

http://webmaster.info.aol.com/proxyinfo.html

Quote:


...yeah.

*laughs*

xodnizel, emulator author, comes to IRC channel: "I'm bored. I'm going to hack your forum."

Me: "Okay, just don't destroy any topics. Expose any bugs however you like." *sends xodnizel the URL to the hidden, temporary board*

*xodnizel plays around with board*

xodnizel: "Go here. Then there. Then reload here."

@.@

Yeah, I'm glad that most people aren't evil and that this mod has finally been written.

Thank you. ^^

I would test this for you, but the only reason I haven't installed it is because my IP# changes frequently due to my LAN modem. I didn't want to have to keep logging in every time my IP# changed. If there's any way to disable that part of the mod (for at least admin), I'll install it. I've got a few members with AOL.

Okay, I understand. On Monday, I'll hook my old modem back up, install the mod, and help you test it. I definitely like the idea of this mod, being the queen of paranoia that I am. lol