WebsiteBaker Community Forum

General Community => Global WebsiteBaker 2.8.x discussion => Topic started by: Argos on January 26, 2011, 04:14:31 AM

Title: Security offense!! Access denied!
Post by: Argos on January 26, 2011, 04:14:31 AM
It seems no longer possible to open and edit multiple pages by using right mouse click and open each one of them them in a separate browser tab. When saving you get the error "Security offense!! Access denied!"

This is very annoying, as I often edit many pages at once especially in the creative stage. Now I have to do them one at a time, which is very time consuming.

Why is this safety measure added (I use RC5 in this case)? What is the purpose of it? And can it be disabled?
Title: Re: Security offense!! Access denied!
Post by: maverik on January 26, 2011, 05:01:53 AM
Same Problem here.
I have already spoken to Dietmar and he is looking for a solution as he said.
Title: Re: Security offense!! Access denied!
Post by: Stefek on January 26, 2011, 05:43:16 AM
And can it be disabled?

I hope it can, for I am using different windows at once as well.

Regards,
Stefek
Title: Re: Security offense!! Access denied!
Post by: testör on January 26, 2011, 07:36:11 AM
No, it can't be disabled in 2.8.2 and 2.9.dev. Just look at all the revisions the last weeks and you'll see, that the SecureForm / FTAN is new security measure in 2.8.2 and 2.9 linked very deep in the core classes.
Btw: Most software has this CSRF-avoiding Tans.
If this would be disabled, it would be complete nonsense to include this security measurements. Disabling saftey would be none safety at all. You'll learn to handle this (I have to accept this, too and it's first a bit uncomfortable), I am sure.
Title: Re: Security offense!! Access denied!
Post by: Luisehahne on January 26, 2011, 07:37:59 AM
I talk with DarkViper. The only chance is, to work with different browser. The secure token is set only once. If you open a second tab with same window, token will be created as new one, and save in the first window failed.

So the secure fix works correctly and fine.

Safety first!

Dietmar

P.S. I hope i could it explain for understanding.
Title: Re: Security offense!! Access denied!
Post by: testör on January 26, 2011, 07:41:33 AM
I talk with DarkViper. The only chance is, to work with different browser.
Well, but who is working with different browser? Nearly nobody, most people won't (and shouldn't by the way). You can edit only one window in WB backend, that's a security feature and shouldn't be removed. Please don't make a good - and of course "hard" security - very weak because it first seems different to before.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on January 26, 2011, 11:14:33 AM
Tried this with sseq-lib (with a module of mine that uses the SEQ_FTOKEN() method provided there). Seems to work. As far as I know, sseq-lib checks the browser signature only (can be disabled also) along with other data, so you can work with Tabs without any problems. Maybe the Lib you're using can be configured to be a bit less strict.

"Nach fest kommt ab!"
Title: Re: Security offense!! Access denied!
Post by: Argos on January 26, 2011, 12:18:37 PM
It's not clear to me why this measure improves "security" and "safety". Can anyone explain what is not safe about working in multiple tabs?

And I also would like to know how I "will learn to handle this"?

This "improvement" alone would be reason for me to not upgrade and use WB 2.8.2 and 2.9
Title: Re: Security offense!! Access denied!
Post by: BlackBird on January 26, 2011, 12:31:50 PM
I think it is part of the CSRF protection, but, as I said above: "Nach fest kommt ab". (analogous: "after firm comes off") This means in this case: There can be too much protection. It simply makes WB more complicated to use, maybe even unusable. (There are some other threads that go into the same direction, concerning other inventions.)
Title: Re: Security offense!! Access denied!
Post by: Ruud on January 26, 2011, 01:13:13 PM
Ok let me try to explain a bit.

With the right techniques, if you would be logged in (or have been logged in before in the same browser session) as admin of your website, and you visit another website (or open an email message) with a specially crafted image/script, they could create a new admin user on the fly. Just by visiting a website or reading a mail.

To prevent this, any form (ie user creation/modification, or just page editing) should test if the request to modify the page/user was coming from the authenticated user.
So, now any request to open a form will add a random code (token) that is only valid until the form is saved or the next code is generated.
So by opening a second form in a new tab, the first token is not valid anymore.
More importantly, if a third party creates the form-data to post, there will be no valid token in the data, and the data is rejected.

this site (http://www.cgisecurity.com/csrf-faq.html) has a good explanation.
Title: Re: Security offense!! Access denied!
Post by: maverik on January 26, 2011, 02:10:22 PM
Please give a german explanation why it is necessary in backend and what can happend to my site without this protection. My english is not got enough to understand the english explanation.
The only thing i know is that is very irritating and uncomfortable to work with wb at the moment.
Title: Re: Security offense!! Access denied!
Post by: Argos on January 26, 2011, 02:30:06 PM
Thanks for the explanation Ruud, I understand the need for such a protection now. However, I cannot believe that protection needs such a rude method. Isn't there a more elegant solution to prevent such attacks, and still be able to open and use multiple instances of the admin to work in. Is it for example not possible to create multiple tokens that all refer to the rightfull admin? Or use the same token for multiple browser windows?

I admit that I would prefer a slicker method to edit multiple pages at once, but for the moment opening multiple browser tabs/windows is the only way to do so. It is already a workaround for a shortcoming of WB, but now the workaround is gone. That's too sad.
Title: Re: Security offense!! Access denied!
Post by: Ruud on January 26, 2011, 03:26:39 PM
This was mainly about explaining the problem. Not discussing the solution.

The immediate solution for "old" websites (not just WB, but any site you can login) is to logout before doing other stuff. If there is no "trusted" connection with your website, there is no problem.

I have even seen recommendations in other CMS forums to use a separate browser for web-development.
i.e. use IE to browse the web and FF for development and management.

I cannot promise any changes in how it is handled at this time, however I can imagine this feature will evolve and become more transparent in the future.
Title: Re: Security offense!! Access denied!
Post by: NorHei on January 26, 2011, 03:46:05 PM
@maverik

Um es kurz zu machen wenn du bei WB eingelogt bist , bzw. warst, Und du dann auf eine andere Seite gehst die einen bestimmten Schadcode enthält (einfach nur draufgehen, nichts machen) kann der Schadcode dieser Seite deinen Admin Account übernehmen(neues Passwort), bzw. einfach einen neuen Anlegen. danach kann der eventuelle Angreifer dein komplettes WB zu seinen Zwecken nutzen oder sogar über die Dateiverwaltung eigene Scripte installieren.

Das ganze funktioniert auch mit entsprechend mit Schadcode versehenen Mails.

Gegenmaßnamen:  IMMER ausloggen bevor eine Mail geöffnet wird oder du ein anderes Tab mit einer anderen Seite öffnest oder FTAN

Ein möglicher Workaround währe mehrere Browser.


  
Title: Re: Security offense!! Access denied!
Post by: Argos on January 26, 2011, 03:53:19 PM
Logging out before visting another site is an attack prevention for OLD versions, not for NEW versions. It does ofcourse not allow you to edit multiple pages. There is nothing to edit anymore if you're logged out...
Title: Re: Security offense!! Access denied!
Post by: NorHei on January 26, 2011, 04:10:35 PM
Someone tested if its possible to use Firefox and Firefox portable at the same time ?
Title: Re: Security offense!! Access denied!
Post by: Argos on January 26, 2011, 04:13:33 PM
Someone tested if its possible to use Firefox and Firefox portable at the same time ?

That's irrelevant. You still can only edit 1 page per browser...
Title: Re: Security offense!! Access denied!
Post by: Luisehahne on January 26, 2011, 04:28:04 PM
If i wants to copy/paste from one page sections in another, first I open the sections where I want to copy from, because I don't need to save anything there. Then I open the sections I want to paste and modify. This page get an actuell Token and I can save.

If I want to save something from the copy sections, I first refresh the site, do my changes and save.

May be the solution we are searching for.

First refresh the site you want to save, then modify and save. It's a click more, but for secure I can accept it

Dietmar
Title: Re: Security offense!! Access denied!
Post by: Argos on January 26, 2011, 05:10:24 PM
Copy/paste doesn't seem to be a big problem to me. What is more problematic is doing bulk editing to a large number of pages, for example modifying settings or user rights.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on January 26, 2011, 05:52:36 PM
Seems that the Lib you are using can't handle more than one valid session. (Where session means open tab in this case.)
Title: Re: Security offense!! Access denied!
Post by: Stefek on January 26, 2011, 06:05:32 PM
I must say, that I don't like the new "feature" if it changes the way on how to work with the CMS.
They are long term habbits.


Copy/paste doesn't seem to be a big problem to me. What is more problematic is doing bulk editing to a large number of pages, for example modifying settings or user rights.
Exactly.
Another situaton is, for example:
You are working on a page but you want to quickly change something in settings/user access or at a different place.
You open a new window with the "open link in new window" command (mouse, context menu etc.)
But you cant change anything... you have no access  :roll:

I hope there is another way to grant security.
Even though security is first, don't forget about the usability thingy..

Regards,
Stefek
Title: Re: Security offense!! Access denied!
Post by: Argos on January 26, 2011, 06:09:24 PM
Indeed , stefek.
Title: Re: Security offense!! Access denied!
Post by: maverik on January 26, 2011, 06:48:41 PM
Ich bin Jäger und Sammler und so gibt es nicht viele CMS, Counter oder Groupware die ich noch nicht installiert und getestet habe.
So ein Verhalten wie WB jetzt an den Tag legt ist mir aber noch nicht untergekommen. Und mit anderen Systemen arbeite ich in gleicher Weise.

Sind diese Systeme alle unsicher?

In den letzten 5 Jahren hatte ich also mit WB "Tag der offenen Tür" und es ist nichts passiert. Jetzt habe ich so viele Türen und Schlösser dass ich selbst nicht mehr vom Ostflügel in den Weinkeller und danach ins Kaminzimmer komme.

##################### Google Translation ###################################

I'm the hunter-gatherers and so there are not many CMS, Counter, or groupware that I have not yet installed and tested.
Such a behavior such as WB now is the day I shall not yet seen. And I work with other systems in the same way.

All these systems are insecure?

In the last 5 years I had with WB so "open day" and nothing happened. Now I have so many doors and locks that I myself no longer in the east wing of the cellar and then into the fireplace come.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on January 26, 2011, 07:00:08 PM
The most secure Computer of the world is locked inside a safe, powered off. The only problem is that you can't use it for anything.
Title: Re: Security offense!! Access denied!
Post by: NorHei on January 26, 2011, 07:46:07 PM
Many still are insecure..
And many have similar problem like WB.

How about some of us go and check how its done in other CMS , i am sure the devs would be happy to implement a better solution.


 




 

Title: Re: Security offense!! Access denied!
Post by: pcwacht on January 26, 2011, 08:51:47 PM
Not saying I wouldn't like the new idea around issues etc.

Logic of an other solution could be:

User logs in and gets a secret key only known to server with wich it scrambles the form tags (FTAN)
This secret key is time limited, say default 5 minutes or so wich could be upped if needed, thus the ftan lifetime is limited as well

As long as the FTAN key matches with the secret key it is ok.
This way the same ftan could be used on diff pages for the same user at the same time.

Kinda like windows uses kerberos

I must say, reading all this protection measurements wich are currently build into the new core of wb, php code wich can't use includes, eval etc, FTAN per page wich obstructs multipage editing, naming the two I know about, I am starting to get less eager to see the new WB in action.

John
Title: Re: Security offense!! Access denied!
Post by: testör on January 26, 2011, 09:10:39 PM
Security is always a bunch of combination - have a look here: http://drupal.org/writing-secure-code
Or have a look here: http://wiki.phpbb.com/display/DEV/Function.check+form+key and http://blog.phpbb.com/2009/01/14/fighting-csrf/ (phpBB uses quite the same form-key validation as SecureForm).
Title: Re: Security offense!! Access denied!
Post by: NorHei on January 26, 2011, 10:20:31 PM
I see another problem coming up if WB goes for browser fingerprints to secure sessions it will become inpossible to work whith multiple Browsers.
Title: Re: Security offense!! Access denied!
Post by: Ruud on January 26, 2011, 11:31:22 PM
As long as the FTAN key matches with the secret key it is ok.
This way the same ftan could be used on diff pages for the same user at the same time.

The problem is that the same hacking script can first request a form page and read the correct FTAN from the returned data. Next it uses the valid FTAN for his hacking attempt.
Remeber.. WB is open source.. Anybody can see how it is done!
The only way to solve the issue is by adding a fingerprint to every form (core AND all modules) to be sure the FTAN is valid and generated from that form only.
Since this is impossible in the WB2.8.x world, the solution now is at least more than fake security.

I see another problem coming up if WB goes for browser fingerprints to secure sessions it will become inpossible to work whith multiple Browsers.
Multiple browser is no issue. They will have different sessions. The whole problem is session related.

Personally, I don't like the side effects of this solution either.. But this is the world we seem to live in.
A little bit safe, is not safe at all.
So what do we want.. A system with publicly known security holes, or a system that tries to close all holes.


Ps..
(found on J__mla docs on their CSRF security solution)
Title: Re: Security offense!! Access denied!
Post by: Argos on May 06, 2011, 11:58:24 AM
I found a workaround to disable the multiple form security annoyance. See http://www.websitebaker2.org/forum/index.php/topic,21456.msg144676.html#msg144676
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 07, 2011, 02:13:34 PM
Quote
The problem is that the same hacking script can first request a form page and read the correct FTAN from the returned data. Next it uses the valid FTAN for his hacking attempt.

Thats not entirely true .
- As those static token(TAN/FTAN) tend to have a timeout (normally about 1/2 hour) the attack needs to be run pretty close after the last logged action. Plus the guy has to klick at your malicious link whithin this time.

- A token normally is based on username or session id so its impossible to get that token in advance as you need to be logged in whith the right username. So at least you have to trick the user into doing something silly twice. 

- Its pretty easy to add the url(or maybe a formname) to the generation process of your token that way one token will only be valid for just one form

Static tokens are not completely insecure and its pretty hard to exploit em whith an automated  script but if you aim to hack a speciffic site its still an relatively easy to exploit option.


Quote
Multiple browser is no issue. They will have different sessions. The whole problem is session related.

Most(all i know) secure session scripts only only allow accessing the site only from one browser at a  time.
That way attackers that somehow capture the session cookie  they still have to get the exact browser fingerprint . (and there is only one chace to guess as session is logged off if there is a security breach)
So its impossible to access a site from 2 browsers that same time as every time you change  your browser you get logged off.

Some scripts even add an additional cookie based token that changes on every action. So if you change  your Browser you get logged off again.

@ Argos
Disabling is easy (just let the functions always return true )but its no solution . Its so incredibly easy to exploit those security holes thats its almost like a miracle noone already wrote an exploit.

Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 09, 2011, 10:28:27 AM
As a follow-up to NorHei's explanation a question came into my mind: Does WB _really_ need this (high) level of security? Why should someone be interested in such a lot expense just to hack a simple website? The only thing is to spread malware, but there are so many sites around having no security features, so there's no need for hackers to put high effort in cracking even "simple" security mechanisms.

Don't take me wrong, security _is_ a subject and should be focused, but if it corrupts the comfort of using WB, it is the wrong way. People will go away and use a more comfortable CMS instead of WB, there's a great variety of CMS out there to choose from. Ease of use is one of the most important advantages WB has. It MUST be preserved.
Title: Re: Security offense!! Access denied!
Post by: Argos on May 09, 2011, 12:20:09 PM
That's my point as well. I have used WB for six years now, and never had any security related issues (as far as I know) on the dozens of sites I built. WB is typically used for small to midsized sites for individuals and (often local) small to midsized companies. These sites are not the most likely targets for hackers. Heavy security measures that impact usability are just too much for these kind of websites. I have the impression that the/some devs are so obsesed (from a technical point of view) with securing WB as much as possible, that they have lost touch with the reality of everyday WB use(rs).

Security is good, but usability should not significantly suffer.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 09, 2011, 12:35:33 PM
100% agreed
Title: Re: Security offense!! Access denied!
Post by: pcwacht on May 09, 2011, 05:02:50 PM
More then 100% agreed

WB is simple, simple is WB
WB is ease of use, ease of use is WB

Ah well, you get the drift ;)

John
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 09, 2011, 11:08:39 PM
100% disagreed . As WB grows bigger and bigger there will be exploits thats almost certain.

Whats the intention to hack a WB site , same as other hacks .  To have a slave server for spamming, selling childp***, and having a place to store banking fraud pages. Cleaned up several hacked servers as they where using old insecure Wordpress versions.  

Its not hard at all to write a token system that allows a configurable number of open instances.
In fact i already done that on a framework i created for myself.

Only disadvantage is it needs you to set a name for each form you want to use it for.
so you call it  :
Code: [Select]
wb_form_token_input("MyLoginForm");
and
wb_token_check("MyLoginForm")

The need to use formnames is a sideeffect of WB not using the Apeform concept.
If you are using Apeforms you can even call it whithout any parameter.

Please keep in mind that i ripped it outof another Framework, so i am not sure if it runs whithout the framework. (Not sure if i added all necessary helper functions for example.)

[gelöscht durch Administrator]
Title: Re: Security offense!! Access denied!
Post by: Stefek on May 10, 2011, 01:05:23 AM
100% agree with the fact that WebsiteBaker has to be as easy and enduser friendly as possible.
Any security issue needs to be debuged, of course, but without any harm in means of less useability.

Stefek
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 10, 2011, 06:35:16 AM
OK, was a bit late at night.
100% Agreed whith WB is simple and should stay that way.
100% Disagreed whith the idea that this is a reason for not fixing security Holes .

 :-D

@stefek 100% agreed
 :lol: :lol: :lol:
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 10, 2011, 09:12:13 AM
100% Disagreed whith the idea that this is a reason for not fixing security Holes .

No one said that security holes should not be fixed. It was just said that there may be too much security - in the means of making a system as secure that it's unusable. (Like the server in the safe, switched of. The data is secure, but no one can use it.)

Please don't mix this up.

"Nach fest kommt ab!"
Title: Re: Security offense!! Access denied!
Post by: Argos on May 10, 2011, 10:03:20 AM
Blackbird is right. The aim is just that WB should ofcourse be as secure as possible, BUT without decreasing usability. Nothing more, nothing less. The current FTAN system does not only decrease usability, it even does that to the point of making WB buggy.

Devs should look for a security system that does not interfere with WB's high usability. Until they have found that, I personally choose to disable FTAN. But that's a decsion everyone should make for themselves.
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 10, 2011, 10:53:14 AM
You guys are really funnie.
(Sorry, someone told me  Blackbird is a Lady?)

Instead of complaining and telling pepole to deactivate security, how about take the solution i presented and build a nice and clean replacement class for secure_form.php.

If it does not go into SVN simply present it as a patch. (Many pepole will love it )

@Argos
[text removed by moderator Argos, as it only contained unneeded heavy sarcasm and possibly dangerous info]
Title: Re: Security offense!! Access denied!
Post by: Argos on May 10, 2011, 11:05:54 AM
Too bad you feel so much agression about this subject and me. For the last time:

- I applaud any security measure as long as it doesn't impact usability in a major way.
- I dont encourage people to make WB less secure. I only offer the possible workaround for people who are annoyed at the side-effects of the recent FTAN -measures in the RC's. Anyone can and should decide to use it or not.
- Regular users like me cannot do anything with your posted alternative. We don't understand anything about the technical stuff, we only comment about the negative side-effects we see. You have to be a coder and part of the DEV-team to use it. So far, the devs are really quiet...
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 10, 2011, 11:26:13 AM
I already suggested to use SSEQ-LIB instead, as it works very well. The Devs refused to do so, they prefer the solution they created. As far as I remember, the argument was the high effort to change it again. But I think the Devs should explain their decision by themselves.
Title: Re: Security offense!! Access denied!
Post by: Argos on May 10, 2011, 11:30:14 AM
As any decent designer or developer knows: sometimes you have to kill your darlings, how difficult that may be.
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 10, 2011, 11:39:48 AM
SSEQ-LIB looks interesting , did you ever looked into it to figure out how it protects against CSRF?
(Hope its not using a static token )
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 10, 2011, 12:14:37 PM
Just checked it and its using static token   :-(
Optionally you can set it to generate single use tokens like the ones we have in WB but whith same disadvantages...

Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 10, 2011, 12:21:47 PM
There's an update pending, but I don't know any details. You may ask the developer.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 10, 2011, 12:44:09 PM
Here's a nice explanation on how to create tokens without the tabs/windows/browsers problem.

Edit: Woops, forgot to paste the link. :roll:
http://stackoverflow.com/questions/2695153/php-csrf-how-to-make-it-works-in-all-tabs/2695291#2695291
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 10, 2011, 03:24:40 PM
Thats  really interesting .... reminds me of selfsigning keys for websiteencryption.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 10, 2011, 03:28:12 PM
It's very simple to combine different params - userid, sessionid, whatever - to a unique key that still works across tabs. It's really quick to implement, too. Can't say anything about security, but should be quite secure. ;)
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 10, 2011, 05:05:12 PM
To me this looks like a great solution .
One token is only valid for one already loaded form and for nothing else.
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 11, 2011, 12:30:41 AM

I build a replacement for the default SecureForm.php

It seemst to be functional so far , maybe someone else runns some more decent tests.

Just paste  it to over the old  /framework/SecureForm.php.
Btw i added the old Version for easy restore.

If its fully functional i guess its at least 100 times better than disabling the checks.

Have fun and enjoy  :lol:


[gelöscht durch Administrator]
Title: Re: Security offense!! Access denied!
Post by: Argos on May 11, 2011, 12:49:52 AM
How can we test something like this? I mean, what do we have to look for? The absence of usability issues like the FTAN ones? Or something specific?
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 11, 2011, 11:35:03 AM
That's a good question. I think the most important thing is that it works across tabs, for this is the reason for the patch. Next, you may try to hack the token in the form to see what happens. (There should be something like "access denied" then.) Maybe NorHei can give more examples.
Title: Re: Security offense!! Access denied!
Post by: Argos on May 11, 2011, 12:11:15 PM
Do you mean with "works across tabs" that you can have multiple forms opened in the tabs? Because that's the biggest problem I personally would like to get rid of.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 11, 2011, 12:19:05 PM
Yes.

With the new solution, a token is generated that is signed by the server. It is not stored in the session or somewhere else, but it has a timeout.

You can work with multiple tabs, but you can't post the form with another User Agent or from another IP. (This means, you cannot open the form with one browser and post the same form with the same token with another one. But you can open as many forms as you like with the same session in different tabs.) The token is still secure. (See explanations by following the link I provided some posts up.)
Title: Re: Security offense!! Access denied!
Post by: Argos on May 11, 2011, 12:33:20 PM
Ah! Sounds perfect then. The technical stuff about tokens and sessions and what have you is far beyond my understanding, it's all mumbojumbo to me I'm afraid. And I must admit it doesn't interest me either. I'm a designer, not a coder. But if the result is that multiple tabs with open forms are possible (so usability is not affected), and WB is still more secured, than it sounds great!
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 11, 2011, 12:57:03 PM
Yes. In my opinion, it's a good solution, and I don't think it is less secure than the original one. I am discussing with NorHei by PN some options to improve token security a little bit, by generating a random secret and storing it outside the code. There could also be an automatic re-generation of the secret every X days, for example. Only someone with more "criminal energy" should check the solution. ;)
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 11, 2011, 12:59:36 PM
For now i added no Browser fingerprinting as should be done by the session.

Normally the session should logout and present a password field if someone changes his browser of maybe IP.
So for now you can even use different Browsers and different IP.

If you like i can add some advanved Fingerprinting that can be turened on an off, as fingerprinting sometimes can cause some troubles.

The Security part is the part i checked myself , i need some additional checking whith funktionality on different forms  so simply turn on errors and use it :-)
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 11, 2011, 01:01:35 PM
I will have problems with this kind of token, as my IP changes with every hit. (LoadBalancer)
Title: Re: Security offense!! Access denied!
Post by: Argos on May 11, 2011, 01:03:51 PM
Please let us know when it's time to test! And is the download in your previous post the latest version all the time?
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 11, 2011, 01:23:13 PM
@Blackbird
http://en.wikipedia.org/wiki/X-Forwarded-For
Is already implemented in my fingerprint functions
Another option would be to use just the first 2 parts of your IP .

@Argos
i thought of posting a fresh version at the end of the thread as it only makes sense to moduify the old one  if the old entry is at the beginning of the thread. If you can add an entry at the start of the thread i would up date that too.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on May 11, 2011, 01:28:50 PM
I would open a new thread when the patch is ready. :-D I think that's more eye-catching.
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 11, 2011, 04:54:26 PM
Ok version 0.2.

Added browser fingerprint  and ip check (even if behind proxy or loadbalancer).

If you want some special configuration put this somewhere in your config.php for example

Code: [Select]
# Secret can contain anything its the base for the secret part for the hash
define ('WB_SECFORM_SECRET','whatever you like');
# shall we use fingerprinting true/false
define ('WB_SECFORM_USEFP', true);
# Timeout till the form token times out. Integer value between 0-86400 seconds (one day)     
define ('WB_SECFORM_TIMEOUT', 3600);   
# Name for the token form element only alphanumerical string allowed that starts whith a charakter
define ('WB_SECFORM_TOKENNAME','my3form3');
# how many blocks of the IP should be used in fingerprint 0=no ipcheck, possible values 0-4
defined ('WB_SECFORM_USEIP',2);


Just wanted to mention that this is code is not cleaned up at all if no useage problems occure i clean it up whith the next versions .


Btw. is anyone has an idea what this  IDKEY is exactly doing please feel free to explain.
(or maybe where i can find a decent explanation)




[gelöscht durch Administrator]
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 11, 2011, 07:24:28 PM
Version 0.3

Did some cleanup and fixed a small bug.(missing  _)

[gelöscht durch Administrator]
Title: Re: Security offense!! Access denied!
Post by: NorHei on May 13, 2011, 12:03:26 PM
Opened a seperate thread for it :

http://www.websitebaker2.org/forum/index.php/topic,21527.0.html
Title: Re: Security offense!! Access denied!
Post by: BlackBird on June 10, 2011, 11:48:46 AM
I've installed the current WB2.8.2 RC6 for the first time, and for the first time I see that it's completely unusable! I have ONE Tab with WB2.8.2, but another one with my "old" 2.8.1-installation, tried to add a first page, and I'm getting the security warning instantly. :x
Title: Re: Security offense!! Access denied!
Post by: instantflorian on June 10, 2011, 12:32:23 PM
@Blackbird: Does this still happen after you installed NorHei's patch?
Title: Re: Security offense!! Access denied!
Post by: BlackBird on June 10, 2011, 01:16:50 PM
Yepp. I'm unable to create new pages.
Title: Re: Security offense!! Access denied!
Post by: ruebenwurzel on June 10, 2011, 01:31:04 PM
Hello,

Quote
WB2.8.2 RC6 for the first time, and for the first time I see that it's completely unusable!

Just for to clearify, not WB 2.8.2 RC6 ist unusable. It only will get unusable when it is patched. So it is good, that this patch will find no way to the core.

Matthias
Title: Re: Security offense!! Access denied!
Post by: maverik on June 10, 2011, 01:54:36 PM
Quote
It only will get unusable when it is patched
  :-o  :?

Same behavior as bianka discribes i had too without patch. i am working on 3 live sites with rc6 with patch and working is possible for me.
without patch it wasn´t.
Title: Re: Security offense!! Access denied!
Post by: BlackBird on June 10, 2011, 02:12:06 PM
Just to clarify, same behaviour with UNPATCHED RC6. I installed the patch to fix it.
Title: Re: Security offense!! Access denied!
Post by: instantflorian on June 10, 2011, 02:20:06 PM
Quote
Just for to clearify, not WB 2.8.2 RC6 ist unusable. It only will get unusable when it is patched. So it is good, that this patch will find no way to the core.

No. Objection! Same as Maverik for me. Without patch, the RC6 still throws from time to time (not always, strange enough) the "security offense" error even if only 1 tab is opened. So this version is not completely "unusable" (thats a strong word), but a bit risky to use.  With Norhei's patch, this problem disappears.

BR
_florian.

Title: Re: Security offense!! Access denied!
Post by: NorHei on June 10, 2011, 02:28:10 PM
I can only make a guess.

I think its because some modules open stuff in a new popup window or do some other kind of transaction . As whithout the patch there is only one valid transaction possible the main form becomes invalid after adding an image in CKE for example.

Title: Re: Security offense!! Access denied!
Post by: maverik on June 10, 2011, 02:32:36 PM
If updatet one live site, good friend of me, without information to him that i have updatet the site because i want see what happend.
I asked me : "Do other, normal User work in the same way i do."

After some days he calls me and said that he cant save pages, Acces denied, whats happend with the site and whats to do. I installed the patch and problem was solved. Since this time he never called me again. Ok, he called for drinking a beer together  :-D



Title: Re: Security offense!! Access denied!
Post by: BlackBird on June 10, 2011, 03:05:51 PM
I think its because some modules open stuff in a new popup window or do some other kind of transaction .

I am still having the problem with ALL forms in the BE. I tried to work with it with IE instead of FF - same problem. So in fact it IS unusable here. To be able to go on with my module tests, I had to fake all DB entries and access files. So don't say unusable is a too hard word. :wink:
Title: Re: Security offense!! Access denied!
Post by: BlackBird on June 10, 2011, 03:11:09 PM
Found that the problem was caused by an older BE theme. Seems the SecureForm.php requires changes in the BE Themes, too.
Title: Re: Security offense!! Access denied!
Post by: Luisehahne on June 10, 2011, 03:13:51 PM
You can check it, the BE Theme need a variable like {FTAN} after the form tag.

Dietmar
Title: Re: Security offense!! Access denied!
Post by: ruebenwurzel on June 10, 2011, 06:50:50 PM
Hello,

tested it over and over again on all sites, with updeted (but non patched) versions and also did some new clean installs and cannot reproduce this error message.

But maybe biancas hint seems to be the solution. I always work with the default Backend "wb_theme". Didn't use other themes because they maybe look better but i always run in problems with them.

Matthias
Title: Re: Security offense!! Access denied!
Post by: Argos on June 10, 2011, 11:22:30 PM
Strange. I just tested a brand new, clean latest RC6 and had no problems (I use Argos theme of course). That is, as long as didn't have multiple tabs open. I just found out by the way that you can use multiple tabs with a simple little trick anyway (not the file hack I posted earlier).

I am disappointed though that the picture option stefek added is not yet added to the core News module. It is an essential option in my opinion.
Title: Re: Security offense!! Access denied!
Post by: NorHei on June 11, 2011, 12:03:39 AM
You can go and open a second tab, change a few things go back and then reload the page to have its FTAN refresh. If you try this whith more than 2 tabs you have to keep track of the last one you refreshed .  Try to explain that to your Client   :-D

For me the atempt to install that news thingy simply lead to a bunch of error messages and nothing else.
I dont think its a good idea to put something like that even into AMASP.
Open a module thread , let pepole test it , fix all Problems , put it on AMASP.
And then after a while its ok to discuss about adding it to the Core .

I dont even expect the patch go into the core as it is. If Devs ever decide to add this patch , it needs a complete rework as its mixed coding style and some redundant functions .
Title: Re: Security offense!! Access denied!
Post by: Stefek on June 11, 2011, 12:33:57 AM
For me the atempt to install that news thingy simply lead to a bunch of error messages and nothing else.
I dont think its a good idea to put something like that even into AMASP.
As I remeber the problems you ran into where the same with a untoutched news module.
There shouldn't be any problems with my changes what so ever, despite those already are part of the module.

Stefek
Title: Re: Security offense!! Access denied!
Post by: NorHei on June 11, 2011, 05:45:29 PM
Just want to mention, this is the wrong thread for news  :wink:
Title: Re: Security offense!! Access denied!
Post by: Luisehahne on June 11, 2011, 06:41:36 PM
INFO!
We are working for a solution, only one FTan for each page, so all sections (module) have the same one.

The actually working is that each sections has his own FTAN and run in security error.

Ok that solved not the multitab problem, but many others.

Dietmar
Title: Re: Security offense!! Access denied!
Post by: NorHei on June 11, 2011, 11:31:30 PM
Jep, confirmed.
The erratic behavior seems to have  its origin in multiple section forms, that generate a FTAN for each section of the form. But only the last FTAN generated is valid, all other sections will malfunction.

Another problem i see is having javascript open a secondary form, for example to upload an image.
If the secondary form is send the main form is no longer valid. 
Title: Re: Security offense!! Access denied!
Post by: babsy on August 09, 2011, 01:40:15 PM
hi :) i just installed a new website with this 2.8.2 version, but i can´t make an page?
i just get the message:

Security offense!! Access denied!

i have followed the installed guide, and everything worked fine, and i can´t seem to find any information about how to get pass this message, and get started to make pages?

Title: Re: Security offense!! Access denied!
Post by: Argos on August 09, 2011, 01:47:35 PM
Untill someone comes wih a solution, you can disable the security function (FTAN) in the admin settings if you like, and see if that helps.
Title: Re: Security offense!! Access denied!
Post by: babsy on August 09, 2011, 02:09:32 PM
Actually, i can´t do anything in the backend, without getting the message:
Security offense!! Access denied!

i can´t make any changes in the admin security :(
Title: Re: Security offense!! Access denied!
Post by: maverik on August 09, 2011, 02:11:55 PM
1) say sleep well for 24 hours to the browser you installed wb  :-D
2) take another browser and go to admin tools > secure form switcher and activate multitab
3) save
4) for now on all should work fine >> i hope
Title: Re: Security offense!! Access denied!
Post by: babsy on August 09, 2011, 02:20:09 PM
Hi :) yes.. i will do that.. and i see it workes ok in IE :)
Title: Re: Security offense!! Access denied!
Post by: NorHei on August 09, 2011, 02:27:19 PM
If might although help if you close all tabs , clear cache and cookies and restart your browser.
Title: Re: Security offense!! Access denied!
Post by: ufferichter on August 28, 2011, 09:19:10 PM
I have read about the Security offense!! Access denied!and tryed everything now, i cant update from Version 2.8.1 without this problem, i dont know what to do, i go back to this version every time
Title: Re: Security offense!! Access denied!
Post by: ruebenwurzel on August 29, 2011, 07:25:39 AM
@ufferichter

Wich errors you have exactely? You cannot update, means this the upgrade fails? Or did the upgrade work well and you got then error messages in the backend? Did you use a built in backend-theme or your own?

As more infos we get, the better we can help.

Matthias
Title: Re: Security offense!! Access denied!
Post by: ufferichter on August 30, 2011, 01:38:20 PM
I just overwrite with the new files in 2.8.2 and use the upgrade.php and i altso try to use the last upgrade to overwrite files, but no mater what i do Security offense!! Access denied everytime when i try to edit or save chances, så i go back to last stable version
Title: Re: Security offense!! Access denied!
Post by: HK on October 20, 2016, 12:37:36 PM
Na de upgrade van WB2.8.1 naar WB2.8.3 met SP7 Krijg ik deze foutmelding bij (bijna) alles wat ik probeer aan te passen.
Standaard is de gebruikte template nu de Website Baker Default Themplate v.1.0.0-dev5 en ik kan geen ander template uit de lijst instellen.
Ook lukte het niet om een pagina waarvan de Visibility op Registered staat, publiek te maken.
Aanpassingen in pagina's worden wel opgeslagen, maar in de Page Settings niet.
Normaal werk ik in Opera maar ik heb het ook geprobeerd in Firefox.
Lastig dat er niet wordt aangegeven wat er precies mis is, waarom de acces wordt geweigerd!
Ook de installatie van een moderne template wordt geweigerd (Sobresot.zip)
Wat kan hier mis zijn?
124Media.nl (http://124Media.nl)
Title: Re: Security offense!! Access denied!
Post by: Ruud on October 20, 2016, 01:02:06 PM
Dit gebeurd als je een oude of "eigen" backend-theme gebruikt. (zo te zien gebruik je een hele oude)
Gebruik dus 1 van de twee meegeleverde backend themes, dan gaat het waarschijnlijk wel goed.

PS..
Ik neem aan / hoop dat je niet rechtstreeks van 2.8.1 naar 2.8.3SP7 bent gegaan!
Zie: http://forum.WebsiteBaker.org/index.php/topic,29355.0.html
Title: Re: Security offense!! Access denied!
Post by: HK on October 21, 2016, 11:22:27 AM
Nee Ruud,
Ik ben gegaan via 2.8.3. zonder SP.
Het klopt dat ik een oud & vertrouwd backend theme heb gekozen (Classic) maar als ik nu probeer dat te veranderen in de Default Settings, krijg ik ook de Security Warning en wordt mijn nieuwe instelling genegeerd.
Sorry dat ik je antwoord in deze draad aanvankelijk over het hoofd heb gezien..
Title: Re: Security offense!! Access denied!
Post by: Ruud on October 21, 2016, 11:32:48 AM
Inderdaad lastig, je mag nu niets meer instellen omdat dat een security probleem oplevert.

Waarschijnlijk is het makkelijkst om de inhoud van de map "DefaultTheme" even ook in de map van je huidige admintheme te uploaden.
Daarvoor moet je wel eerst alles van je huidige theme verwijderen, behalve de info.php, die MOET blijven bestaan (ook niet overschrijven dus)
Title: Re: Security offense!! Access denied!
Post by: HK on October 21, 2016, 12:32:18 PM
Dag Ruud,
Ik heb er ook al aan gedacht om het nu geïnstalleerde backend theme Classic te verwijderen met FileZilla, maar ik kan het niet vinden.
Kun je me aangeven waar ik moet zoeken? Ik neem aan dat er na het verwijderen automatisch wordt teruggevallen op een default theme?
Title: Re: Security offense!! Access denied!
Post by: Ruud on October 21, 2016, 01:33:50 PM
Nee, er is geen fallback! Niet zomaar wissen dus.

De backend thema's staan in de templates directory.
In zo'n directory staat een info.php waarin je de naam kan vinden (hoeft niet gelijk te zijn aan de directorynaam)
Title: Re: Security offense!! Access denied!
Post by: HK on November 14, 2016, 12:42:58 PM
Dag Ruud,
Heel veel dank; de operatie is geslaagd; het Default Theme is nu actief voor de backend. Ik zie in de settings ook nog andere mogelijkheden staan: Argos, classic_theme en wb_theme. Het is me inmiddels duidelijk dat ik het classic_theme beter niet meer kan gebruiken; kan ik dat 'gewoon' deleten met FileZilla of geeft dat misschien problemen?
Geldt dat misschien ook voor de andere themes of kan ik bijvoorbeeld Argos en wb_theme nog wel gebruiken? Voorlopig durf ik dat nog even niet...
Op de website van WB vind ik onder Themes helemaal niets..
Title: Re: Security offense!! Access denied!
Post by: Ruud on November 14, 2016, 12:53:13 PM
Argos is nog een theme wat bruikbaar is (al zitten er volgens mij een paar voutjes in).
Die andere kan je als het goed is verwijderen via /admin / extra's / templates
Je moet die in ieder geval niet meer inschakelen.

Als het verwijderen zo niet lukt kan je ze via FTP verwijderen en via "Extra's" > "Geavanceerd" de templates een keer opnieuw initialiseren. Dan zijn ze ook weg uit het keuze lijstje.