Cookie IP encryption? - UBB.Developers

UBB.Dev

Is it possible to use the UBB's ability to track IP's and encrypt that info in the cookie so that a hijacked cookie is worthless? Of course the password would have to be encrypted too. I realize that it would force users to re-login if the IP changes but even if it was a Class C or B it would allow modem users or AOL proxied users to stay logged in and still prevent nearly all cookie hijack problems.

I know that the Infopop guys go to great lengths to filter HTML and prevent exploits but face it, we're only one step ahead of the people that thrive on the enjoyment they get from malicious behavior and tearing down communitys.

Maybe a better idea would be allow users to restrict access to their accounts to specific IP addresses.

If someone steals the cookie, then they wouldn't be able to login.
That shouldn't be too hard, just changes to verify_id_num and verify_id_num2 ? (along with an interface of course)

This means those on static IPs can be sure that no one can access their account, except anyone that gets on their machine

I have a friend that is involved in another BB and is using my idea with MD5 encrypted passwords and he is also encrypting the first two octets of the IP in the cookie. So far it's going well.

Of course the trick is making sure they can't just decypher which part is which and paste ofrt of their cookie into yours.

on my board i use MD5 to encrypted the PWD. i changes also the function "lost PWD" because in the profile is the PWD also encrypted.

i think it's a good idea to encrypt the first part of the IP and store it encrypted in the cookie.

Joking-down i would appriciate it if you can tell me how you used MD5 because our forum is hacked twice in the last months by people that use scripts wich can catch cookies.

Hi T, I've been snooping around this place looking for encryption routines and saw this thread.

If ya wanna work with me on this cookie problem, ICQ me. I have a few solutions brewing.

with this code you can protect the PWD in the cookie:

Code

cp.cgi
======
 
find:
----
 
use strict;
use Fcntl ':flock';
use UBBCGI qw(:cgi);	# CGIPath/Modules/UBBCGI.pm
use UBBCGI::Carp qw(fatalsToBrowser set_message);	# CGIPath/Modules/UBBCGI/Carp.pm
 
 
add after:
---------
 
##
#   use MD5
##
 
use Digest::MD5 qw (md5 md5_hex md5_base64);
 
 
 
find:
----
 
    &CheckPermission_CP;
    my $cookie = cookie(
        -name  => "ubbadmin$vars_config{Cookie_Number}",
        -value => [$username, $password, $status, $pn, $admin_num],
 
 
replace with:
------------
 
    &CheckPermission_CP;
    my $cookie = cookie(
        -name  => "ubbadmin$vars_config{Cookie_Number}",
        -value => [$username, md5_hex(lc($password)), $status, $pn, $admin_num],
 
 
 
cp_lib.cgi
==========
 
find:
----
 
    my @profile = &OpenProfile($profile_stuff[2]);
    chomp($profile[1]);
    chomp($profile[8]);
    chomp($profile[15]);
    $lcpw     = lc($password);
    $lcprofpw = lc($profile[1]);
    
    if ($lcpw ne "$lcprofpw") {
 
 
 
replace with:
------------
 
    my @profile = &OpenProfile($profile_stuff[2]);
    chomp($profile[1]);
    chomp($profile[8]);
    chomp($profile[15]);
    $lcpw     = lc($password);
    $lcprofpw = lc($profile[1]);
    
    if (length($lcprofpw) < 32) {
        $lcprofpw = md5_hex($lcprofpw);
    }
 
    if ($lcpw ne "$lcprofpw") {
 
 
 
 
ubb_lib.cgi
===========
 
find every:
----------
 
#lowercase everything
$lcpw     = lc($profile[1]);
$lc_un    = lc($profile[0]);
chomp($lc_pw_in = lc($pw)); # jic
chomp($lc_un_in = lc($un));
 
 
 
and add AFTER:
-------------
 
if (length($lcpw) < 32) {
    $lcpw = md5_hex ($lcpw);
}
 
 
 
 
ubb_lib_misc.cgi
================
 
find:
----
 
-value   => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
 
 
replace with:
------------
 
-value   => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
 
 
 
 
ubb_new_reply.cgi, ubb_new_topic.cgi
====================================
 
find:
----
 
    $cookie4 = cookie(
        -name    => "ubber$vars_config{Cookie_Number}",
        -value   => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
        -path    => '/',
        -expires => '+2y'
    );
 
 
 
replace with:
------------
 
    $cookie4 = cookie(
        -name    => "ubber$vars_config{Cookie_Number}",
        -value   => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
        -path    => '/',
        -expires => '+2y'
    );
 
 
 
 
ubb_profile.cgi
===============
 
find:
----
 
    $cookie2 = cookie(
        -name    => "ubber$vars_config{Cookie_Number}",
        -value   => [$user_profile[0], $new_password, $public_name, $in{DaysPrune}, $in{u}, $pntf_hidden, $avhide],
        -path    => '/',
        -expires => '+2y'
    );
 
 
 
replace with:
------------
 
    $cookie2 = cookie(
        -name    => "ubber$vars_config{Cookie_Number}",
        -value   => [$user_profile[0], md5_hex(lc($new_password)), $public_name, $in{DaysPrune}, $in{u}, $pntf_hidden, $avhide],
        -path    => '/',
        -expires => '+2y'
    );
 
 
 
 
ultimate.cgi
============
 
find:
----
 
use strict;
use Fcntl ':flock';
use UBBCGI qw(:cgi);	# CGIPath/Modules/UBBCGI.pm
use UBBCGI::Carp qw(fatalsToBrowser set_message);	# CGIPath/Modules/UBBCGI/Carp.pm
 
 
add after:
---------
 
##
#   use MD5
##
 
use Digest::MD5 qw (md5 md5_hex md5_base64);
 
 
 
find:
----
 
    chomp(my $writeadmin  = (&OpenProfile($profile_number))[4]);
    chomp(my $this_un     = (&OpenProfile($profile_number))[0]);
    chomp(my $this_pw     = (&OpenProfile($profile_number))[1]);
 
 
replaye with:
------------
 
    chomp(my $writeadmin  = (&OpenProfile($profile_number))[4]);
    chomp(my $this_un     = (&OpenProfile($profile_number))[0]);
    chomp(my $this_pw     = (&OpenProfile($profile_number))[1]);
    
    $this_pw = md5_hex (lc($this_pw));
 
 
 
find:
----
 
    my $cookie = cookie(
        -name    => "ubber$vars_config{Cookie_Number}",
        -value   => [$this_un, $this_pw, $pubname, $dp, $profile_number, $hidden, $noav],
        -path    => '/',
        -expires => '+2y'
    );
    $username = $in{username};
 
 
replace with:
------------
 
    my $cookie = cookie(
        -name    => "ubber$vars_config{Cookie_Number}",
        -value   => [$this_un, md5_hex(lc($this_pw)), $pubname, $dp, $profile_number, $hidden, $noav],
        -path    => '/',
        -expires => '+2y'
    );
    $username = $in{username};
 
 
 
find:
----
 
        # reconfirm user data- in case profile details were changed
        if ($username ne '') {
            my @this_profile = &verify_id_num_2($username, $password, $user_number);
            chomp($this_profile[1]);
            chomp($this_profile[0]);
            chomp($this_profile[21]);
            chomp($this_profile[15]);
            chomp($this_profile[35]);
            if ($this_profile[15] eq '') { $this_profile[15] = "$this_profile[0]"; }
            $cookie3 = cookie(
                -name    => "ubber$vars_config{Cookie_Number}",
                -value   => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
                -path    => '/',
                -expires => '+2y'
            );
        }
 
 
replace with:
------------
 
        # reconfirm user data- in case profile details were changed
        if ($username ne '') {
            my @this_profile = &verify_id_num_2($username, $password, $user_number);
            chomp($this_profile[1]);
            chomp($this_profile[0]);
            chomp($this_profile[21]);
            chomp($this_profile[15]);
            chomp($this_profile[35]);
            if ($this_profile[15] eq '') { $this_profile[15] = "$this_profile[0]"; }
            $cookie3 = cookie(
                -name    => "ubber$vars_config{Cookie_Number}",
                -value   => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
                -path    => '/',
                -expires => '+2y'
            );
        }

i tested the code only on my local system...

Was going to test on 6.1.0.4 system but in ubb_lib.cgi your section for "find every:" the code does not exist. Checked your site in your signature and see it is a 5.47e system.

What version was this tested on?

Quote

quote:

Originally posted by 1QuickSI:
What version was this tested on?

i installed on my local system the version 6.3.1

for V6.1.0x:

code:
[qb]

Code

search:
------

    # check password
    if ($lcpw ne "$lc_pw_in") {
        &StandardHTML("$vars_wordlets_err{invalid_password}");
    }
 
 
add before:
----------
 
if (length($lcpw) < 32) {
    $lcpw = md5_hex ($lcpw);
}

[/qb]

I'm getting this error on my 6.3.1 test board...

Can't locate auto/Digest/MD5/md5_hex.al in @INC etc. etc.

I went to CPAN for the latest MD5 module and still no go.

Tnx Joking-down. I think we have to install the perl version of MD5 to run? If so, where and how? If this works i make a statue for you in the hall of fame.

You can't just copy MD5.pm - you need to ask your hosting provider to install the Digest::MD5 module.

Charles, does this look valid to you? Is this something that will help?

Good idea. ezboard actually does it with High Security, as far as I am aware of. Basically, the session cookie has embedded IP and thus can only be used from that IP. All other users are treated as not logged in, even though they have a cookie.

It's not the method that we'll be using when we go MD5, but it looks like a solution, yes.

(The lost password issue has been a major support & confusion problem - generating a new password every time the user forgets is a real, real pain. We will not be encrypting the password on disk, but it will be MD5ed in the cookie. .. and if you're worried about the member files being read, then you seriously need to look at the security on your server.)

I must have been confused, I thought this was only for the cookie. I have my members folder outside of the web folder so it's very secure.

this mod is only for the cookies...

Edit: my host says that they can't do this for me till the next upgrade of Perl. Is there anything I can do to get this working. If Charles is going to be able to get the passwords MD5'd in the cookies in 6.4 then I sure that they won't be making us ask our hosting companys to install modules for us.

There is a pure-Perl MD5 module that we can ship, but this hack isn't made for it.

And your host lies. Horribly. Very badly.

looks like I have some investigating to do. Thanks

Edit: I run perldiver and it shows that I have Digest::MD5 and dynaloader installed. The error I'm getting says that it can't locate in the path auto/Digest/MD5.

How can I tell it to look in Digest/MD5 instead of auto/Digest/MD5?

Large modules are often split up into smaller pieces to make them easier to load. Your host's Digest::MD5 has been autosplit, which is why it's looking in auto/.

This isn't something you can fix... Digest::MD5 has to be compiled on the server.

Thanks Charles, I've passed this info on. Maybe Joking-Down can modify this a bit to accept the pure Perl module you were talking about for 6.4?

when you have no Digest::MD5 you can use the Module Digest::Perl::MD5 instead.

i have a small error in the code:

Code

remove in ultimatebb.cgi the line:
---------------------------------
$this_pw = md5_hex (lc($this_pw));
 
 
 
change all:
----------
use Digest::MD5 qw (md5 md5_hex md5_base64);
 
to:
--
eval {
    require Digest::MD5;
    import  Digest::MD5 'md5_hex';
};
 
if ($@) {
    require Modules::Digest::Perl::MD5;
    import  Modules::Digest::Perl::MD5 'md5_hex';
}