|
hns,
August 27, 2001 at 11:49:50 AM CEST
Some thoughts about security I just realized there are some easily exploited security problems connected to the one user account for multiple sites scheme Antville is using. Just imagine a site owner changing the login form so that its input is sent to another server which he controls. The password sniffing may even go unnoticed if the request is then redirected to the actual antville login. Well, of course the single login for multiple sites is a very cool feature, so here's some crypto to the rescue to make antville a temper-proof application. The basic idea is to send a secure hash algorithm (SHA) implemented in Javascript along with the login form and have it send the secure hash instead of the password itself back to the server. Now of course this is also not secure if the hash is always the same for the same password, since knowing the hash product would suffice to log in. So here's the full scheme: When the server produces the login form, it generates a random string, stores it in the user's session cache and sends it along with the login form. On the client side, the login submit script adds the password the user entered to the random string it got from the server and calculates a secure hash on that combined string and sends it to the server. The server takes the random string it sent , adds the user's actual password from the DB and checks if it gets the same secure hash. If yes the user is logged in. As far as I understand, this should be a pretty secure, since any sniffer had to get both the random string and the password to reproduce the hash product. Anybody eager to implement this for Antville? Shouldn't be too hard, since the SHA algorithm is already available in Javascript (see link above).
StefanL,
August 27, 2001 at 3:38:29 PM CEST
man, henso your thinking machine is running fast these days. i'll look into this. ... comment
kris,
August 27, 2001 at 4:00:56 PM CEST
more possible problems a couple of security issues for manila sites may arise here. i know that manila always does referer checks when objects are created or edited. theoretically, it is possible to build evil websites outside antville and trick a logged-in antville (or manila) user to click on buttons. more important: it should be possible to block certain html tags, javascript and antville macros in responses and stories (not written by the admins). i don't want to explain in public how this can be exploited, but i guess you get an idea. ... comment
michi,
August 27, 2001 at 4:53:03 PM CEST
i don't get it so, encryption on the client-side is done by using this JavaScript-function, right? but the admin of a weblog is still able to modify every single piece of HTML which is sent to the client, so how do we prevent him from disabling this? another (minor) issue would be that users with javascript disabled wouldn't be able to login in anymore (not that i know anybody, but i'm just thinking). or did i get sthg. wrong?
hns,
August 27, 2001 at 6:41:42 PM CEST
Well you're right. it ain't gonna prevent that kind of hack. ... comment
tobi,
August 28, 2001 at 3:33:43 PM CEST
speaking of security isn't it also problematic that helma does not make any distinction between requests sent via "post" or "get" method? it's much simpler to code, that's for sure.
hns,
August 28, 2001 at 3:38:10 PM CEST
why would that be a security problem? A post request is just as easy to generate as a get request, except if the only tool you have is a web browser. So if you think you're "hiding" something by enforcing post you're basically kidding yourself.
tobi,
August 28, 2001 at 4:14:40 PM CEST
here you go kiddie think about a badly-designed web-bot that out of any reason has indexed a url like pool.helma.at.
hns,
August 28, 2001 at 4:52:15 PM CEST
OK, you're right (Although it's definitely not the fault of the web bot!) What we should do here is introduce methods in the req object: req.isPost() and req.isGet(). Other environments invoke different target methods depending on the request method (such as doPost() and doGet()), but I guess that's not an option with our model, where the action is part of the URL.
tobi,
August 28, 2001 at 4:55:48 PM CEST
ibot is tobi reversed please forgive my unjust disrespect for the bot. you're certainly right, too. and you have a very nice solution to solve the issue as well. ... comment
|
|
The Antville Server Fund has been a great success. Thanks to everybody who contributed!
online for 8551 Days
last updated: 1/4/11, 10:22 AM  Youre not logged in ... Login
 ... home
... topics ... galleries ... Home
... Tags
... Galleries
... about antville ... download ... macros.antville.org ... help.antville.org ... translate antville! ... antville home
i understand your concerns however,
i hardly can think of a solution. certainly, if the...
by tobi (7/29/03, 9:47 AM)
Found several more similar sites
listed This is getting to be quite a concern to...
by cobalt123 (7/27/03, 7:56 PM)
Second Post Alert on Referrer
bug livecatz I put this into "help" and now here:...
by cobalt123 (7/26/03, 7:14 PM)
well it's not easy to
find from here, anyway. think we should include a link,...
by tobi (7/24/03, 11:25 AM)
clock not that it's particularly
earthshattering but the antclock is running slow by about 15...
by kohlehydrat (7/23/03, 8:25 PM)
How to log skin names
I accessed to console?? Hi, I would like to know...
by winson (7/23/03, 4:12 PM)
  powered by  |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||