The attached patch makes Secure Pages able to detect and prevent hijacked sessions from accessing SSL pages. See http://drupal.org/node/65371#comment-123944 for my explanation of how it works and why it is useful.

CommentFileSizeAuthor
#2 securepages-2006-Nov-13-hijack.patch.txt3.93 KBgrendzy
securepages-hijack.patch4.29 KBbjaspan
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

grendzy’s picture

grendzy CreditAttribution: grendzy commented

Has anyone tested this patch? It sounds like a great addition to securepages. Is it likely to get committed?

grendzy’s picture

grendzy CreditAttribution: grendzy commented
Status: Needs review » Reviewed & tested by the community
FileSize
securepages-2006-Nov-13-hijack.patch.txt3.93 KB

I've just tested this patch out. It worked exactly has advertised for me. I'll describe how I tested it so others can repeat it:

  1. Go to your drupal site, and log out if you're not already
  2. fire up Wireshark, set it to listen on port 80 (there are numerous other ways to get your session ID, but this is how I did it)
  3. log in to your site, then make sure to visit an insecure link via plain http
  4. Now look in your Wireshark capture. You'll see something like this:
    GET /system/files/images/main+page+pic+for+web.preview.jpg HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: MOODLEID_=%25ED%25C3%251CC%25B7d; PHPSESSID=82f3f2488d56800af56072637e73
3d99; userbg=userbg-paper; userfontsz=userfontsz-normal; userwdth=userwdth-liqui
d
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.9.1 (KH
TML, like Gecko) Safari/419.3
Connection: keep-alive
Host: localhost


HTTP/1.1 200 OK
Date: Mon, 12 Feb 2007 22:05:39 GMT
Server: Apache/1.3.33 (Darwin) PHP/4.4.4 mod_ssl/2.8.24 OpenSSL/0.9.7l
X-Powered-By: PHP/4.4.4
  5. We are, of course, just interested in the PHPSESSID. Now go to a different computer or browser (I used Safari for the legit login, and Firefox for the hijack attempt). Visit the site so you have the cookie. Now find your cookie file (in my computer it's in Library/Application Support/Firefox/Profiles/Y2HAeGsP.default/cookies.txt, your may differ). Edit the cookie file, inserting your stolen PHPSESSID in your site's cookie
  6. Now visit your site with this other broswer. You'll see that you are now logged in as the user whose SESSID you swiped. Congrats, you have just hijacked your site!
  7. Now, try to do something nasty, like go visit /node/1/edit. You'll see this message: "The Secure Pages module has detected an invalid session access attempt.". Securepages saves the day!

p.s. - I'm attaching a new patch, since the original no longer applies cleanly to the 4.7 release. There are no code changes, it's just the revision number at the top of the file didn't match. I'm also bumping the status up to "ready to be committed" (in my humble opinion).

grendzy’s picture

grendzy CreditAttribution: grendzy commented
Status: Reviewed & tested by the community » Closed (won't fix)

automatically closed - The 4.7 branch is no longer supported. If this issue is present in a currently supported version, please change the version field and re-open. Thanks!