Forum

Thread tagged as: Problem, Suggestions

Security issue?

Hi,

We've just discovered that perch has a security risk. The Perch admin section is currently vulnerable for Session fixation / Session Hijacking. Even after 30 minutes the Session id is still not expired. This can be fixed by adding a php function session_regenerate_id (https://php.net/manual/en/function.session-regenerate-id.php) every 5 minutes or even very request or x amount of requests.

I presume more advanced programmers will also counter this by adding session regeneration. But for more inexperienced programmers or even non programmers this might be a risk.

Best regards, Bart

Head Office

Head Office 0 points

  • 2 years ago
Drew McLellan

Drew McLellan 2638 points
Perch Support

Perch has protection against session hijacking built in. This is why you can't log in as the same user account in two places.

Hi Drew,

We were able to overtake a session from another user this morning, We've intercepted the cookie with the PHPSESSIONID and forged a request on a different machine and we could continue on that machine without any restrictions

Drew McLellan

Drew McLellan 2638 points
Perch Support

It sounds like you have a problem with your installation in that case, or you don't have paranoid mode enabled perhaps. If you reuse a session both parties should immediately be logged out.

We will test with paranoid mode on :), currently we had a quick fix buy regenerating session every x request. Thanks for your feedback on the paranoid mode.

Perch is a Community Defense Platform that makes cyber threat intelligence accessible for the “everyone”—not just large organizations with dedicated threat analysts on staff. Now small and mid-size businesses can mount a defense with curated community intelligence and participate in sharing communities. https://mybkexperience.us/