ngiddings
commented
9 years ago I was just able to use the same technique to view a user's account information.
Here are the details I got: Username: jackson Email: mauris@ligula.net
Closed ngiddings closed 9 years ago
ngiddings
commented
9 years ago I was just able to use the same technique to view a user's account information.
Here are the details I got: Username: jackson Email: mauris@ligula.net
ngiddings
commented
9 years ago It seems like it could be possible to fake being authorized into another's account, on top of being able to anonymously authorize yourself. By filling a cookie with the correct data, and given the lack of encryption anywhere, I can't think of anything preventing this.
I haven't been able to confirm this exploit, but it is something we should look into.
ngiddings
commented
9 years ago I'm thinking that we should migrate the information needed to validate sessions to the server. The client can keep track of a session ID, and then when it presents the session ID to the server for validation the server can have a temporary file associated with it that can be used to verify the session. Obviously the file would not be able to hold sensitive data unencrypted.
ngiddings
commented
9 years ago Any input on this?
ngiddings
commented
9 years ago The authentication branch implements a set of patches that should fix this. After testing, we can merge the branch and close this issue.
ngiddings
commented
9 years ago On second thought, we should close this so it's more clear what needs done.
By manually creating cookies with the names 'PHPSESSID' and 'user', one can masquerade as an authorized user and post videos. The contents of the cookies are irrelevant; their mere existence is all the site checks for.
It seems safe to assume that this applies to all actions that require authentication, however the only verified exploit is being able to post anonymous videos.