TWIG default configurations may lead to insecure auth-cookie password storage

From: Gonçalo Gomes (goncaloat_private)
Date: Wed Nov 28 2001 - 19:16:53 PST

Next message: Roman Drahtmueller: "SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)"

Previous message: Linux Mandrake Security Team: "MDKSA-2001:077-2 - apache update for Single Network Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 Abstract:
 ---------

        TWIG is a popular free application framework. Some of its features
        are Webmail (through IMAP), Newsgroups (usenet), Bookmarks,
        ToDo Lists, etc.


 Problem Scope:
 --------------

        The default configuration of TWIG has no login security options
        enabled. Whenever a person logins to a webmail service running
        TWIG to check his E-mail, Usenet or any other kind of possible
        uses TWIG may have, may lead to insecure storage of password in
        cookies if the user doesn't issue logout. The password is stored
        in plain text within some other rawurlencode()'d data.

        An example of a cookie caught by Microsoft (C) Internet Explorer:

        twig_authenticated
        %3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A14%3A%22_MY_USER_NAME_%22
	%3Bs%3A8%3A%22password%22%3Bs%3A13%3A%22_MY_PASSWORD_%22%3B%7D
        some.server.com

        I wrote a litle php script to decode this data to make things
        more clear:

        <?
                echo rawurldecode("%3A2%3A%7Bs%3A8%3A%22username");
                echo rawurldecode("%22%3Bs%3A14%3A%22_MY_USER_NAME_%22%3Bs");
                echo rawurldecode("%3A8%3A%22password%22%3Bs%3A13%3A");
                echo rawurldecode("%22_MY_PASSWORD_%22%3B%7D");
        ?>

        And the results:

        :2:{s:8:"username";s:14:"_MY_USER_NAME_";s:8:"password";s:13:
        "_MY_PASSWORD_";

        However, the username and password are always in plain text.

 FIX:
 -----
        For Admins:

                Pick your favorite text editor and edit the file
                <twig-prefix>/config/config.php (or possibly .php3)
                change the following values:

                Change:
                $config["security"] = "basic";
                To:
                $config["security"] = "advanced"; // be paranoid

                And:

                $config["login_handler"] = "cookie";
                To:
                $config["login_handler"] = "securecookie.php4session";

                Or check the other options described in TWIG documents.

        For Users:

                Try to reproduce this bug. If you get your username
                and password written in plain text on your Webmail
                session cookies.

                1- Alert your Webmail Service Admin.
                2- Always logout (no matter what!)
                3- Make sure when you logout, there's no cookie file
                   containing any private information, regarding your
                   session during the use of TWIG.

 Contacts:
 ----------
        - The author was contacted at Wednesday, November 28, 2001
          4:05 PM and a reply was received after 20 minutes.

        - Some institutions who were caught running TWIG with this
          misconfiguration were alerted and fixed the problem.


 Acknowledgments:
 ----------------
 - Christopher Heschong <chrisat_private>
        For the fast response and for pointing me to the obvious
        options.

 - AL Research Group


 Relevant Links:
 ---------------

 Twig Website
        http://screwdriver.net/twig/
 PHP
        http://www.php.net


 Best regards,
 -Gonçalo.

Next message: Roman Drahtmueller: "SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)"
Previous message: Linux Mandrake Security Team: "MDKSA-2001:077-2 - apache update for Single Network Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 14:57:23 PST