Security hole found on locklegion.com - fixed

Today I realised that there was a huge security hole on locklegion.com. Not a coding-wise security hole, but a general hole. You see, I let people host almost any type of file on their LockStorage account. This includes html pages. Now, I'm sure you know cookies usually have a defined domain name and path. Since the locklegion.com forums are on the root path, I can't exactly restrict the cookie to be only on the root path. Now the problem is that LockStorage files were hosted on the same domain name (www)! A quick test with an html page showed that it was extremely easy to grab anybody's cookie! All you had to do was create a "malicious" html page, and get someone who has chosen to be remembered by the forum to view the page, and BAM! You had their cookie!

I resolved this issue by messing with Apache's very powerful mod_rewrite. I set up virtual subdomains for people with LockStorage accounts. You used to be able to access a file using something like www.locklegion.com/lockstorage/trashlock/somefile.html, now the (better) way to access it is like so: trashlock.locklegion.com/somefile.html. This obviously is easier to remember, and it's not on the same subdomain, so cookies don't get sent there! Awesome! I've made it so Apache redirects any "old" attempts to grab a file, just to make sure.

If you allow people to host Flash, or HTML on your server, be extremely careful! Put them on a seperate domain name or subdomain! People will be able to grab your cookies. It's a fact.