View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000708 | Composr | core | public | 2012-07-28 20:45 | 2014-10-09 13:15 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Product Version | |||||
| Target Version | Fixed in Version | ||||
| Summary | 0000708: Increase complexity of session IDs | ||||
| Description | If someone disables the "Enforce IP addresses for sessions" option, then a brute-force hack-attack (executing within a timeframe of an admin having been active) could steal the admin login. The brute-force would need to last roughly 11-days (if 10 requests per second): (10^7)/(10*3600*24) The default session expiry time is significantly less than this. The following conjunction of events would make a site vulnerable: - A hacker attacking a site - Run by someone who wasn't noticing the ramp-up in (suspicious) hits - Run by someone who'd disabled the "Enforce IP addresses for sessions" option - A persistent attack lasting months (multiples of 11-days, hoping for an overlap between guessing a session ID and that session ID having not yet expired) If we increase the session ID complexity we can reduce the likelihood of a guess significantly. | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Time estimation (hours) | 8 | ||||
| Sponsorship open | |||||
