mitm evilzone hijack

[relax]

I just tried out dsploit on my evilzone account and got a successful hijack.
correct me if I'm wrong but evilzone has ssl witch should encrypt traffic between browser and server, so a sniffer should get encrypted data witch it apparently does not.
My guess would be the flaw lays in the fact that the phpsessionid is set as a get post...

[Stackprotector]

did you really use HTTPS:// and did not issue a SSL stripper?

[relax]

yes but heres the thing, https switches to http after change of page, would be fixed with https everywhere extension but thats kind of annoying.

[Phage]

I would like to agree with relax. I have experienced the same with the https and he has a point.

[0poitr]

Well, firefox says connection to ez is only partially encrypted.

[Snayler]

Well, firefox says connection to ez is only partially encrypted.

While Chrome complains about the certificate not having the same URL as the website (it has "*.evilzone.org" as the URL).

[proxx]

My firefox warns that for example when posting a message its not encrypted and it happens in plain HTTP.
I have yet to check wireshark but im pretty sure thats correct.

[relax]

My firefox warns that for example when posting a message its not encrypted and it happens in plain HTTP.
I have yet to check wireshark but im pretty sure thats correct.

thats actually true because it was when posting a message or changing settings the hijack is possible so far as i found. i also noticed that the PHPSESSID is exposed in url sometimes witch is really weird
http://i.imgur.com/g7X12KU.png from another post (not my screenshot btw)


edit:
It seems the topic links on "unread messages" links to http even though https is used

[proxx]

Im currently recording with wireshark to see what happens.
@This is a test message@

[proxx]

Look what we got here.
my browser clearly stated https:// while sending this.

Will try again to confirm.


*EDIT*

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?

Thats firefox complaining.

[relax]

well the interesting thing is not they read your message its the actually get your session id and can hijack you account


but then again one thing is connected to the other

[RevHzShell]

I noticed the behaviour exposing your SessID in other Simple Machines Forum. Maybe could be another issue.

Furthermore i can confirm Firefox establishes a partial encrypted connection to https://evilzone.org as displayed in website's informations.

EDIT:
And guess what? Editing this post being in https, I got a popup saying the data would have been sent in clear text, and after having saved the post I have no more https in my url bar, just evilzone.org/........
@proxx,  didn't pay attention you already mentioned this... i get exactly the same message you posted. However it's an additional confirmation.

[proxx]

well the interesting thing is not they read your message its the actually get your session id and can hijack you account


but then again one thing is connected to the other

I know, this was just to make a statement

[Stackprotector]

We kind of forced this forum software into HTTPs. It has almost none HTTPs functions. We will look into this

[relax]

how about force https with .htaccess?

Code: [Select]

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]



or there might be a reason for for not forcing https....
like some ppl might be able to get around the ssl cert warning message ^_^