#54269
07/30/2002 3:31 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
Is it possible to use the UBB's ability to track IP's and encrypt that info in the cookie so that a hijacked cookie is worthless? Of course the password would have to be encrypted too. I realize that it would force users to re-login if the IP changes but even if it was a Class C or B it would allow modem users or AOL proxied users to stay logged in and still prevent nearly all cookie hijack problems.
I know that the Infopop guys go to great lengths to filter HTML and prevent exploits but face it, we're only one step ahead of the people that thrive on the enjoyment they get from malicious behavior and tearing down communitys.
|
|
|
#54270
07/31/2002 9:52 AM
|
Joined: Apr 2002
Posts: 111
Member
|
|
Member
Joined: Apr 2002
Posts: 111 |
Maybe a better idea would be allow users to restrict access to their accounts to specific IP addresses. If someone steals the cookie, then they wouldn't be able to login. That shouldn't be too hard, just changes to verify_id_num and verify_id_num2 ? (along with an interface of course)  This means those on static IPs can be sure that no one can access their account, except anyone that gets on their machine 
|
|
|
#54271
07/31/2002 9:28 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
I have a friend that is involved in another BB and is using my idea with MD5 encrypted passwords and he is also encrypting the first two octets of the IP in the cookie. So far it's going well.
Of course the trick is making sure they can't just decypher which part is which and paste ofrt of their cookie into yours.
|
|
|
#54272
08/01/2002 8:02 AM
|
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
|
|
deutscher moderator / v5 specialist
Joined: Dec 2000
Posts: 730 |
on my board i use MD5 to encrypted the PWD. i changes also the function "lost PWD" because in the profile is the PWD also encrypted.
i think it's a good idea to encrypt the first part of the IP and store it encrypted in the cookie.
|
|
|
#54273
08/01/2002 8:17 PM
|
Joined: Dec 2000
Posts: 371
Member
|
|
Member
Joined: Dec 2000
Posts: 371 |
Joking-down i would appriciate it if you can tell me how you used MD5 because our forum is hacked twice in the last months by people that use scripts wich can catch cookies.
|
|
|
#54274
08/02/2002 1:46 PM
|
Joined: Nov 2000
Posts: 68
Member
|
|
Member
Joined: Nov 2000
Posts: 68 |
Hi T, I've been snooping around this place looking for encryption routines and saw this thread.
If ya wanna work with me on this cookie problem, ICQ me. I have a few solutions brewing.
|
|
|
#54275
08/03/2002 11:20 AM
|
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
|
|
deutscher moderator / v5 specialist
Joined: Dec 2000
Posts: 730 |
with this code you can protect the PWD in the cookie: cp.cgi
======
find:
----
use strict;
use Fcntl ':flock';
use UBBCGI qw(:cgi); # CGIPath/Modules/UBBCGI.pm
use UBBCGI::Carp qw(fatalsToBrowser set_message); # CGIPath/Modules/UBBCGI/Carp.pm
add after:
---------
##
# use MD5
##
use Digest::MD5 qw (md5 md5_hex md5_base64);
find:
----
&CheckPermission_CP;
my $cookie = cookie(
-name => "ubbadmin$vars_config{Cookie_Number}",
-value => [$username, $password, $status, $pn, $admin_num],
replace with:
------------
&CheckPermission_CP;
my $cookie = cookie(
-name => "ubbadmin$vars_config{Cookie_Number}",
-value => [$username, md5_hex(lc($password)), $status, $pn, $admin_num],
cp_lib.cgi
==========
find:
----
my @profile = &OpenProfile($profile_stuff[2]);
chomp($profile[1]);
chomp($profile[8]);
chomp($profile[15]);
$lcpw = lc($password);
$lcprofpw = lc($profile[1]);
if ($lcpw ne "$lcprofpw") {
replace with:
------------
my @profile = &OpenProfile($profile_stuff[2]);
chomp($profile[1]);
chomp($profile[8]);
chomp($profile[15]);
$lcpw = lc($password);
$lcprofpw = lc($profile[1]);
if (length($lcprofpw) < 32) {
$lcprofpw = md5_hex($lcprofpw);
}
if ($lcpw ne "$lcprofpw") {
ubb_lib.cgi
===========
find every:
----------
#lowercase everything
$lcpw = lc($profile[1]);
$lc_un = lc($profile[0]);
chomp($lc_pw_in = lc($pw)); # jic
chomp($lc_un_in = lc($un));
and add AFTER:
-------------
if (length($lcpw) < 32) {
$lcpw = md5_hex ($lcpw);
}
ubb_lib_misc.cgi
================
find:
----
-value => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
replace with:
------------
-value => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
ubb_new_reply.cgi, ubb_new_topic.cgi
====================================
find:
----
$cookie4 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
-path => '/',
-expires => '+2y'
);
replace with:
------------
$cookie4 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
-path => '/',
-expires => '+2y'
);
ubb_profile.cgi
===============
find:
----
$cookie2 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$user_profile[0], $new_password, $public_name, $in{DaysPrune}, $in{u}, $pntf_hidden, $avhide],
-path => '/',
-expires => '+2y'
);
replace with:
------------
$cookie2 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$user_profile[0], md5_hex(lc($new_password)), $public_name, $in{DaysPrune}, $in{u}, $pntf_hidden, $avhide],
-path => '/',
-expires => '+2y'
);
ultimate.cgi
============
find:
----
use strict;
use Fcntl ':flock';
use UBBCGI qw(:cgi); # CGIPath/Modules/UBBCGI.pm
use UBBCGI::Carp qw(fatalsToBrowser set_message); # CGIPath/Modules/UBBCGI/Carp.pm
add after:
---------
##
# use MD5
##
use Digest::MD5 qw (md5 md5_hex md5_base64);
find:
----
chomp(my $writeadmin = (&OpenProfile($profile_number))[4]);
chomp(my $this_un = (&OpenProfile($profile_number))[0]);
chomp(my $this_pw = (&OpenProfile($profile_number))[1]);
replaye with:
------------
chomp(my $writeadmin = (&OpenProfile($profile_number))[4]);
chomp(my $this_un = (&OpenProfile($profile_number))[0]);
chomp(my $this_pw = (&OpenProfile($profile_number))[1]);
$this_pw = md5_hex (lc($this_pw));
find:
----
my $cookie = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_un, $this_pw, $pubname, $dp, $profile_number, $hidden, $noav],
-path => '/',
-expires => '+2y'
);
$username = $in{username};
replace with:
------------
my $cookie = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_un, md5_hex(lc($this_pw)), $pubname, $dp, $profile_number, $hidden, $noav],
-path => '/',
-expires => '+2y'
);
$username = $in{username};
find:
----
# reconfirm user data- in case profile details were changed
if ($username ne '') {
my @this_profile = &verify_id_num_2($username, $password, $user_number);
chomp($this_profile[1]);
chomp($this_profile[0]);
chomp($this_profile[21]);
chomp($this_profile[15]);
chomp($this_profile[35]);
if ($this_profile[15] eq '') { $this_profile[15] = "$this_profile[0]"; }
$cookie3 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
-path => '/',
-expires => '+2y'
);
}
replace with:
------------
# reconfirm user data- in case profile details were changed
if ($username ne '') {
my @this_profile = &verify_id_num_2($username, $password, $user_number);
chomp($this_profile[1]);
chomp($this_profile[0]);
chomp($this_profile[21]);
chomp($this_profile[15]);
chomp($this_profile[35]);
if ($this_profile[15] eq '') { $this_profile[15] = "$this_profile[0]"; }
$cookie3 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
-path => '/',
-expires => '+2y'
);
} i tested the code only on my local system...
|
|
|
#54276
08/03/2002 1:32 PM
|
Joined: Jun 2001
Posts: 729
Coder
|
|
Coder
Joined: Jun 2001
Posts: 729 |
Was going to test on 6.1.0.4 system but in ubb_lib.cgi your section for "find every:" the code does not exist. Checked your site in your signature and see it is a 5.47e system.
What version was this tested on?
|
|
|
#54277
08/03/2002 3:25 PM
|
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
|
|
deutscher moderator / v5 specialist
Joined: Dec 2000
Posts: 730 |
quote:
Originally posted by 1QuickSI: What version was this tested on?
i installed on my local system the version 6.3.1 for V6.1.0x: code:
[qb]search:
------
# check password
if ($lcpw ne "$lc_pw_in") {
&StandardHTML("$vars_wordlets_err{invalid_password}");
}
add before:
----------
if (length($lcpw) < 32) {
$lcpw = md5_hex ($lcpw);
}
|
|
|
#54278
08/03/2002 6:46 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
I'm getting this error on my 6.3.1 test board...
Can't locate auto/Digest/MD5/md5_hex.al in @INC etc. etc.
I went to CPAN for the latest MD5 module and still no go.
|
|
|
#54279
08/03/2002 6:52 PM
|
Joined: Dec 2000
Posts: 371
Member
|
|
Member
Joined: Dec 2000
Posts: 371 |
Tnx Joking-down. I think we have to install the perl version of MD5 to run? If so, where and how? If this works i make a statue for you in the hall of fame.
|
|
|
#54280
08/03/2002 7:22 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
You can't just copy MD5.pm - you need to ask your hosting provider to install the Digest::MD5 module.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#54281
08/03/2002 7:23 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
Charles, does this look valid to you? Is this something that will help?
|
|
|
#54282
08/03/2002 8:18 PM
|
Joined: Dec 2000
Posts: 47
Member
|
|
Member
Joined: Dec 2000
Posts: 47 |
Good idea. ezboard actually does it with High Security, as far as I am aware of. Basically, the session cookie has embedded IP and thus can only be used from that IP. All other users are treated as not logged in, even though they have a cookie.
|
|
|
#54283
08/03/2002 10:06 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
It's not the method that we'll be using when we go MD5, but it looks like a solution, yes.
(The lost password issue has been a major support & confusion problem - generating a new password every time the user forgets is a real, real pain. We will not be encrypting the password on disk, but it will be MD5ed in the cookie. .. and if you're worried about the member files being read, then you seriously need to look at the security on your server.)
UBB.classic: Love it or hate it, it was mine.
|
|
|
#54284
08/03/2002 10:32 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
I must have been confused, I thought this was only for the cookie. I have my members folder outside of the web folder so it's very secure.
|
|
|
#54285
08/04/2002 8:16 AM
|
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
|
|
deutscher moderator / v5 specialist
Joined: Dec 2000
Posts: 730 |
this mod is only for the cookies...
|
|
|
#54286
08/04/2002 10:37 AM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
Edit: my host says that they can't do this for me till the next upgrade of Perl. Is there anything I can do to get this working. If Charles is going to be able to get the passwords MD5'd in the cookies in 6.4 then I sure that they won't be making us ask our hosting companys to install modules for us.
|
|
|
#54287
08/04/2002 12:34 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
There is a pure-Perl MD5 module that we can ship, but this hack isn't made for it.
And your host lies. Horribly. Very badly.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#54288
08/04/2002 2:27 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
looks like I have some investigating to do. Thanks
Edit: I run perldiver and it shows that I have Digest::MD5 and dynaloader installed. The error I'm getting says that it can't locate in the path auto/Digest/MD5.
How can I tell it to look in Digest/MD5 instead of auto/Digest/MD5?
|
|
|
#54289
08/04/2002 4:53 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
Large modules are often split up into smaller pieces to make them easier to load. Your host's Digest::MD5 has been autosplit, which is why it's looking in auto/.
This isn't something you can fix... Digest::MD5 has to be compiled on the server.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#54290
08/04/2002 5:50 PM
|
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
|
|
Spotlight Winner
Joined: Jun 2001
Posts: 2,849 |
Thanks Charles, I've passed this info on. Maybe Joking-Down can modify this a bit to accept the pure Perl module you were talking about for 6.4?
|
|
|
#54291
08/10/2002 8:46 AM
|
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
|
|
deutscher moderator / v5 specialist
Joined: Dec 2000
Posts: 730 |
when you have no Digest::MD5 you can use the Module Digest::Perl::MD5 instead. i have a small error in the code: remove in ultimatebb.cgi the line:
---------------------------------
$this_pw = md5_hex (lc($this_pw));
change all:
----------
use Digest::MD5 qw (md5 md5_hex md5_base64);
to:
--
eval {
require Digest::MD5;
import Digest::MD5 'md5_hex';
};
if ($@) {
require Modules::Digest::Perl::MD5;
import Modules::Digest::Perl::MD5 'md5_hex';
}
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
|
Posts: 417
Joined: November 2001
|
|
|
Forums63
Topics37,575
Posts293,930
Members13,823
| |
Most Online6,139
Sep 21st, 2024
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|
