Prevent re-use of join URL

[GoogleCodeExporter]

When joining meeting from wordpress plugin password  is travelling in GET 
request.

how to set it to in POST method. as bigbluebutton server accepting request via 
GET. plz suggest where to locate file to fix this issue or any idea.   

Original issue reported on code.google.com by rupes...@gmail.com on 1 May 2015 at 8:26

[GoogleCodeExporter]

This is not an issue but how BigBlueButton is designed.

The password (albeit named attendeePW and moderatorPW) are really tokens.  Most 
3rd party integrations create a random string for the moderator and viewer 
tokens when creating the meeting and, depending on the user, return one of 
these tokens in the join URL.

The real security is in the shared secret and checksum.  See

  http://docs.bigbluebutton.org/dev/api.html#usage

For more information on security in BigBlueButton, see

  http://docs.bigbluebutton.org/support/faq.html#does-bigbluebutton-offer-secure-collaboration

Original comment by ffdixon@gmail.com on 1 May 2015 at 3:16

• Changed state: WontFix

[GoogleCodeExporter]

if someone catch or distribute this url and enter it in browser while meeting 
is running it successfully get entered. as i mentioned in above screenshot. 
this url is passing through GET.  

is there any way to block this direct link access. ?? my website auditing dept. 
told me to fix this issue to clear audit.

10.25.122.38/bigbluebutton/api/join?meetingID=9b62c525379ddd6d8482a2a0d89d345f41
d7232b&fullName=mad&password=753e91286bebce0ddd63dc0bb65bb7b5&checksum=0af6187c8
b6d8c2b61a9f2cd49ca8bb57f01fb12

Original comment by rupes...@gmail.com on 14 May 2015 at 8:55

[GoogleCodeExporter]

While the parameter may say password, think of it more as a meeting token.  The 
URL has a checksum that is signed by a shared secret.  Any changes to the URL 
would invalidate the checksum.

For more information on security in BigBlueButton, see

  http://docs.bigbluebutton.org/support/faq.html#does-bigbluebutton-offer-secure-collaboration

Original comment by ffdixon@gmail.com on 14 May 2015 at 9:14

[GoogleCodeExporter]

i agree Any changes to the URL would invalidate the checksum. but if user paste 
the same link it gets entered. how to block it ??

Original comment by rupes...@gmail.com on 14 May 2015 at 9:33

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

It should be possible to match the user with a session token, or to allow the 
use of a join URL only once by the server.

We'll look at doing this as part of a future release.  To understand how we 
prioritize features, see

  http://docs.bigbluebutton.org/support/faq.html#when-will-feature-x-be-implemented

Original comment by ffdixon@gmail.com on 16 May 2015 at 7:36

• Changed title: Prevent re-use of join URL
• Changed state: Accepted
• Added labels: Priority-Low, Security, Type-Enhancement
• Removed labels: Priority-Medium, Type-Defect

[GoogleCodeExporter]

Dear Team,

The newly reported vulnerability (Authentication Bypass) found in BigBlue 
Button is actually founded and reported by the undersigned, although it was 
communicated by Mr Rupesh in absence of mine. PoC will be shared to you, if is 
it required for your future reference. PoC will contain the complete testing 
methodology of the reported finding.

As you have already accepted that the reported finding is present in your 
module and you will patch it and release the upgraded module with new version. 
So, I request you to give some credits for motivating my skills, it will be 
much beneficial for my career prospective. 

I can also provide you the best solution for the reported finding.

Your response is highly appreciated.

With Best Regards,
Vibhor Gupta
InfoSec Consultant & Security Researcher

Original comment by guptavib...@gmail.com on 20 May 2015 at 11:43