Are Joomla!'s 3.x sessions less secure than Joomla!'s 1.x sessions?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
misterade
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jul 19, 2016 12:38 pm

Are Joomla!'s 3.x sessions less secure than Joomla!'s 1.x sessions?

Post by misterade » Tue Jul 19, 2016 1:38 pm

While I was performing some tests I noticed a great difference in the way sessions are managed by Joomla! 3.x and Joomla! 1.x.

In Joomla! 3.x, upon creating a session, the value of the cookie sent back to the browser is saved in the database in #__session.session_id.
As a result, a possible SQL injection vulnerability in Joomla! would allow an attacker to easily perform a session hijacking by dumping the #_session table.
https://www.trustwave.com/Resources/Spi ... =0&month=0

However, Joomla! 1.x creates and store sessions in a completely different way, and as a result a SQL injection like the previous one would not allow an attacker to perform a session hijack. In fact, in Joomla! 1.x the cookie value sent back to the browser is not the one stored in #__session.session_id.
In Joomla! 1.x the function generateId() is responsible for generating a unique session id.
It does it by generating a "random number" $randnum and a session id $new_session_id.
The value of $new_session_id is the result of come concatenation and md5 operations using $randnum as seed.
Finally, $randnum is used as the cookie value sent back to the browser and $new_session_id is the one stored in the database.

Code: Select all

 function generateId() {
         $failsafe       = 20;
         $randnum        = 0;

         while ($failsafe--) {
                 $randnum                = md5( uniqid( microtime(), 1 ) );
                 $new_session_id = mosMainFrame::sessionCookieValue( $randnum );
                 file_put_contents("/tmp/jj_log.txt","tbl sessioni?\n",FILE_APPEND);
                 file_put_contents("/tmp/jj_log.txt",$this->_tbl." _ ".$this->_tbl_key."\n",FILE_APPEND);

                 if ($randnum != '') {
                         $query = "SELECT $this->_tbl_key"
                         . "\n FROM $this->_tbl"
                         . "\n WHERE $this->_tbl_key = " . $this->_db->Quote( $new_session_id )
                         ;
                         $this->_db->setQuery( $query );
                         if(!$result = $this->_db->query()) {
                                 die( $this->_db->stderr( true ));
                         }

                         if ($this->_db->getNumRows($result) == 0) {
                                 break;
                         }
                 }
         }

         $this->_session_cookie  = $randnum;
         $this->session_id               = $new_session_id;
 }
 
I don't really understand this behavior.

1) what was the purpose of $new_session_id in Joomla! 1.x?

2) A default installation of Joomla! 3.x relies on sessions cookies saved in the database, making easy a session hijacking once a SQL injection is found while Joomla! 1.x behave in (at least to me) a saver way. Why changing such behaviour from Joomla! 1.x to Joomla! 3.x?

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19661
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Are Joomla!'s 3.x sessions less secure than Joomla!'s 1.x sessions?

Post by leolam » Sun Jul 24, 2016 9:16 am

You do not want to compare software that has so much changed over the past 10 years? You are comparing apples with peers and it is a complete useless discussion therefor. You do not expect us to reply to questions on why something is coded in 10 year old hilarious outdated software? Not wasting my time here sorry...

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

misterade
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jul 19, 2016 12:38 pm

Re: Are Joomla!'s 3.x sessions less secure than Joomla!'s 1.x sessions?

Post by misterade » Sun Jul 24, 2016 9:53 am

Maybe I posted in the wrong forum, but it seems to me that a software 10 years old might be able to manage sessions in a more secure way than modern software. Just thought it was worth talking about it, I'm sorry you thought this was a wast of time. Thank you for your answer anyway :)


Locked

Return to “Security in Joomla! 3.x”