Orkut Server Side Session Management Error
The most recent version of this document is available at:-
http://susam.in/security/advisory-2007-06-22.txt
Release date:-
22 June, 2007
Type:-
Session management error
Authors:-
Susam Pal, Vipul Agarwal
Researchers:-
Susam Pal, Vipul Agarwal, Gaurav Mogre
(Gaurav's input is present in this advisory even though he could not
play a role in writing this advisory.)
Description of normal logout:-
On a successful login, Orkut sets a client side session cookie called
'orkut_state' to keep track of sessions. When a user logs out, the
client side cookie is deleted.
Description of unsuccessful authentication during a session:-
When a user fails to authenticate himself during a session (say, while
deleting a community), the user is redirected to a login page where he
has to enter his password to reauthenticate himself. The user is not
required to enter his user-name again. The user-name is already shown on
the login page and the user is required to enter the password only. In
this case, the client side cookie is not deleted in order to keep track
of the user re-authenticating himself.
Vulnerability:-
Orkut fails to expire or disable the session associated with the
'orkut_state' cookie when the user logs out or fails to authenticate
himself during a session.
Impact:-
Previous advisory:-
Net-Square Solutions Pvt. Ltd. reported a similar issue to Google on
10 February, 2006 and released an advisory on 31 January, 2007 which
reports the vulnerability to have been fixed with session cookies now
set to expire in 24 hours. This Net-Square advisory is avaiable at:
http://net-square.com/advisory/NS-310107-ORKUT.pdf
However, attacks are still possible before the expiry of the cookies as
described in the previous section. A more secure solution is described
in the next section.
Solutions:-
Prevention:-
Disclaimer:-
This document is published with the hope that it will be useful, but
without any warranty; without even the implied warranty of
merchantability or fitness for a particular purpose. The information in
this advisory should be used for education, research, experimentation,
bug-fixes and patch-releases only. The authors shall not be liable in
any event of any damages, incidental or consequential, in connection
with, or arising out of this advisory.
Contact Information:-
Susam Pal
[email protected]
http://susam.in/
Vipul Agarwal
[email protected]
http://www.ang-productions.com/
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/