Security offense!! Access denied!

[NorHei]

To me this looks like a great solution .
One token is only valid for one already loaded form and for nothing else.

[NorHei]

I build a replacement for the default SecureForm.php

It seemst to be functional so far , maybe someone else runns some more decent tests.

Just paste  it to over the old  /framework/SecureForm.php.
Btw i added the old Version for easy restore.

If its fully functional i guess its at least 100 times better than disabling the checks.

Have fun and enjoy  


[gelöscht durch Administrator]

[Argos]

How can we test something like this? I mean, what do we have to look for? The absence of usability issues like the FTAN ones? Or something specific?

[BlackBird]

That's a good question. I think the most important thing is that it works across tabs, for this is the reason for the patch. Next, you may try to hack the token in the form to see what happens. (There should be something like "access denied" then.) Maybe NorHei can give more examples.

[Argos]

Do you mean with "works across tabs" that you can have multiple forms opened in the tabs? Because that's the biggest problem I personally would like to get rid of.

[BlackBird]

Yes.

With the new solution, a token is generated that is signed by the server. It is not stored in the session or somewhere else, but it has a timeout.

You can work with multiple tabs, but you can't post the form with another User Agent or from another IP. (This means, you cannot open the form with one browser and post the same form with the same token with another one. But you can open as many forms as you like with the same session in different tabs.) The token is still secure. (See explanations by following the link I provided some posts up.)

[Argos]

Ah! Sounds perfect then. The technical stuff about tokens and sessions and what have you is far beyond my understanding, it's all mumbojumbo to me I'm afraid. And I must admit it doesn't interest me either. I'm a designer, not a coder. But if the result is that multiple tabs with open forms are possible (so usability is not affected), and WB is still more secured, than it sounds great!

[BlackBird]

Yes. In my opinion, it's a good solution, and I don't think it is less secure than the original one. I am discussing with NorHei by PN some options to improve token security a little bit, by generating a random secret and storing it outside the code. There could also be an automatic re-generation of the secret every X days, for example. Only someone with more "criminal energy" should check the solution.

[NorHei]

For now i added no Browser fingerprinting as should be done by the session.

Normally the session should logout and present a password field if someone changes his browser of maybe IP.
So for now you can even use different Browsers and different IP.

If you like i can add some advanved Fingerprinting that can be turened on an off, as fingerprinting sometimes can cause some troubles.

The Security part is the part i checked myself , i need some additional checking whith funktionality on different forms  so simply turn on errors and use it

[BlackBird]

I will have problems with this kind of token, as my IP changes with every hit. (LoadBalancer)

[Argos]

Please let us know when it's time to test! And is the download in your previous post the latest version all the time?

[NorHei]

@Blackbird
http://en.wikipedia.org/wiki/X-Forwarded-For
Is already implemented in my fingerprint functions
Another option would be to use just the first 2 parts of your IP .

@Argos
i thought of posting a fresh version at the end of the thread as it only makes sense to moduify the old one  if the old entry is at the beginning of the thread. If you can add an entry at the start of the thread i would up date that too.

[BlackBird]

I would open a new thread when the patch is ready. I think that's more eye-catching.

[NorHei]

Ok version 0.2.

Added browser fingerprint  and ip check (even if behind proxy or loadbalancer).

If you want some special configuration put this somewhere in your config.php for example

Code: [Select]

# Secret can contain anything its the base for the secret part for the hash
define ('WB_SECFORM_SECRET','whatever you like');
# shall we use fingerprinting true/false
define ('WB_SECFORM_USEFP', true);
# Timeout till the form token times out. Integer value between 0-86400 seconds (one day)     
define ('WB_SECFORM_TIMEOUT', 3600);   
# Name for the token form element only alphanumerical string allowed that starts whith a charakter
define ('WB_SECFORM_TOKENNAME','my3form3');
# how many blocks of the IP should be used in fingerprint 0=no ipcheck, possible values 0-4
defined ('WB_SECFORM_USEIP',2);

Just wanted to mention that this is code is not cleaned up at all if no useage problems occure i clean it up whith the next versions .


Btw. is anyone has an idea what this  IDKEY is exactly doing please feel free to explain.
(or maybe where i can find a decent explanation)




[gelöscht durch Administrator]

[NorHei]

Version 0.3

Did some cleanup and fixed a small bug.(missing  _)

[gelöscht durch Administrator]

[NorHei]

Opened a seperate thread for it :

http://www.websitebaker2.org/forum/index.php/topic,21527.0.html

[BlackBird]

I've installed the current WB2.8.2 RC6 for the first time, and for the first time I see that it's completely unusable! I have ONE Tab with WB2.8.2, but another one with my "old" 2.8.1-installation, tried to add a first page, and I'm getting the security warning instantly.

[instantflorian]

@Blackbird: Does this still happen after you installed NorHei's patch?

[BlackBird]

Yepp. I'm unable to create new pages.

[ruebenwurzel]

Hello,

WB2.8.2 RC6 for the first time, and for the first time I see that it's completely unusable!

Just for to clearify, not WB 2.8.2 RC6 ist unusable. It only will get unusable when it is patched. So it is good, that this patch will find no way to the core.

Matthias

[maverik]

It only will get unusable when it is patched

   

Same behavior as bianka discribes i had too without patch. i am working on 3 live sites with rc6 with patch and working is possible for me.
without patch it wasn´t.

[BlackBird]

Just to clarify, same behaviour with UNPATCHED RC6. I installed the patch to fix it.

[instantflorian]

Just for to clearify, not WB 2.8.2 RC6 ist unusable. It only will get unusable when it is patched. So it is good, that this patch will find no way to the core.

No. Objection! Same as Maverik for me. Without patch, the RC6 still throws from time to time (not always, strange enough) the "security offense" error even if only 1 tab is opened. So this version is not completely "unusable" (thats a strong word), but a bit risky to use.  With Norhei's patch, this problem disappears.

BR
_florian.

[NorHei]

I can only make a guess.

I think its because some modules open stuff in a new popup window or do some other kind of transaction . As whithout the patch there is only one valid transaction possible the main form becomes invalid after adding an image in CKE for example.

[maverik]

If updatet one live site, good friend of me, without information to him that i have updatet the site because i want see what happend.
I asked me : "Do other, normal User work in the same way i do."

After some days he calls me and said that he cant save pages, Acces denied, whats happend with the site and whats to do. I installed the patch and problem was solved. Since this time he never called me again. Ok, he called for drinking a beer together