Forums  /  The Site  /  Serious Security Issue on Speedrun.com (Locked)
  noclipnoclip

This is definitely not good™, and more worrisome still because the cookies aren't marked HTTP-only, so even one XSS bug is enough to steal passwords.

 
  Lighnat0rLighnat0r

Some initial security has been added to the cookies, more will need to be added later though.
And yeah, the database has always been hashed.

This of course means everyone has to login again.

EdenalEdenal likes this. 
  Cameron_DCameron_D

Some other things I just found:
- There exists an XSS when posting images, this is kinda critical, can be used to execute _any_ Javascript I desire
- Liking posts and logging out don't carry a CSRF token so I can force-log people out or make them like any post.
- There is no sanity checking on the thread ID that you post replies to so there is a hidden thread in which I (among others) tested/discovered these. Given said thread probably has some dangerous JS running around now I won't post it publicly, but hit me up in IRC for further details (I'm in the channel at the moment).

troll_accounttroll_account likes this. 
  karelkarel

To expand on Cameron's post, even though you probably already know:
Forum posting is not CSRF-protected either, not even by referrer.

Stuff like
http://pastebin.com/EpJQmqPB

works flawlessly.

 
  GlacialsGlacials

This issue is not fixed. By hashing passwords before storing them in cookies, all you're doing is changing the definition of a password. The information needed to fake yourself into becoming someone has changed from [username, password] to [username, password hash]. This information is still passed over plaintext in every page request made to speedrun.com. So if I'm a snooper, the only thing that's changed for me is that now it seems like your password is just really long and really complicated. I no longer need what you consider your password, because I only need the thing that speedrun.com considers your password -- the hash. It's no harder for me to become you.

Solution to above: Use $_SESSION instead of $_COOKIE.

MD5 is too much of a beaten dead horse to be used anymore. Reverse lookup tables are everywhere on the internet. At ¤minimum¤ you should be salting your hashes. But you should also just be using a more modern hashing function.

Solution: Change from md5($password) to password_hash($password, PASSWORD_BCRYPT). It will handle salting.

Please open source speedrun.com. We want to help but we can't if everything remains closed off.

NokiDokiNokiDoki, GyooGyoo and 2 others like this. 
  SgtKabukimanSgtKabukiman

^ This post sounds like an echo of what I have been preaching in October-November '14. But then I gave up.

 
  Cameron_DCameron_D

> Solution to above: Use $_SESSION instead of $_COOKIE.

Actually, using PHP sessions still sets a phpsessid cookie, and copying that is still all that is is needed to take over a session/log in as someone else. No matter what method you use for session identification it can be vulnerable to anyone with the ability to MITM a connection which is why there is such a push towards HTTPS nowadays.

GlacialsGlacials likes this.