Hi,

It appears that in vb2.2.8 and presumably earlier 2.x.x versions, sessionhashes are not being stripped from the text of private messages.

When posting a new thread, posting a reply to a thread, or editing a post, vBulletin will automatically search the message text for sessionhashes and remove them. Not doing so could, in some rare instances, result in hijacking the poster's session.

It should be noted that only the pagetext field is checked for sessionhashes. I recommend that the developers considering checking the title (subject) fields as well to ensure maximum security.

A workaround will be posted in reply to this message.

Thanks,
Paul

Edit: On second thought, this would probably be best handled by creating a function (i.e. stripsessions()) in global.php and checking all user input, such as signature changes, message text, subjects, and custom fields.

To detect and remove sessionhashes from urls sent via private message, you will need to edit private.php and private2.php:

In private.php:

Find:

if ($parseurl) {
$message = parseurl($message);
}


BELOW, add:

// Bug fix: remove sessionhash from urls - Nov 12, 2002 : http://www.vbulletin.com/forum/showthread.php?s=&threadid=58542
$message=ereg_replace("&sessionhash=[a-z0-9]{32}","",$message);
$message=ereg_replace("\\?sessionhash=[a-z0-9]{32}","",$message);
$message=ereg_replace("&s=[a-z0-9]{32}","",$message);
$message=ereg_replace("\\?s=[a-z0-9]{32}(&)?","?",$message);
// End bug fix: remove sessionhash from urls


In private2.php:

Find:

if ($parseurl) $message=parseurl($message);


BELOW, add:

// Bug fix: remove sessionhash from urls - Nov 12, 2002 : http://www.vbulletin.com/forum/showthread.php?s=&threadid=58542
$message=ereg_replace("&sessionhash=[a-z0-9]{32}","",$message);
$message=ereg_replace("\\?sessionhash=[a-z0-9]{32}","",$message);
$message=ereg_replace("&s=[a-z0-9]{32}","",$message);
$message=ereg_replace("\\?s=[a-z0-9]{32}(&)?","?",$message);
// End bug fix: remove sessionhash from urls


A similar fix could be applied to the subject fields, however, I'll leave that up to the discretion of the developers.

Keep in mind that this is not a security issue. Sessionhashes are only valid a) for 15 minutes after a user's last click and b) if the user's IP address matches the one assigned to the sessionhash in the database.

There is no easy way to take over a session via a link like this.

Originally posted by tubedogg
There is no way to take over a session via a link like this.

I'd have to disagree. I did make a note to say in very rare cases. For example, users accessing a site through a company proxy server/firewall. The IP address would be the same.

Just because it isn't likely to happen, doesn't mean it can't. :)

Paul

Edit: Case in point:

http://www.vbulletin.com/forum/showthread.php?s=&threadid=57260

just pointing out again
http://www.vbulletin.com/forum/showthread.php?s=&threadid=54195

Originally posted by LoveShack
Just because it isn't likely to happen, doesn't mean it can't.My post was intended to say there's no "easy" way, as I have edited it to reflect.

At any rate there is next to no chance this could be exploited as it relies on a number of significant mitigating factors.

Does that mean it won't be fixed in the next version?

Originally posted by LoveShack
Does that mean it won't be fixed in the next version? Where has that been said? Private messages should be subject to the same regex as normal posts and if they aren't, we will fix it.

Well, for one this hasn't been moved into the bugs forum. Obviously I didn't have a clear impression about what was to be done and judging from tubedogg's response, I was unsure if this is intended behavior.

If there is a better avenue to report potential problems with this software, kindly let me know.

Originally posted by freddie
Where has that been said? Private messages should be subject to the same regex as normal posts and if they aren't, we will fix it. Very happy to hear it.

Originally posted by freddie
Where has that been said? Private messages should be subject to the same regex as normal posts and if they aren't, we will fix it. Note to those upgrading: This was not completely fixed in 2.2.9. You will need to make the following fix:

Remember to backup your database and files before making this or any other modification.

In private2.php FIND:

if ($parseurl) $message=parseurl($message);


Below, INSERT:

// Bug fix: Remove sessionhash from urls, 2002-11-27 : http://www.vbulletin.com/forum/showthread.php?s=&threadid=58542
$message = stripsession($message);
// End bug fix: Remove sessionhash from urls