Questa non è sicurezza

Started by joker__, September 16, 2012, 03:26:43 PM

Previous topic - Next topic

joker__

Primo post, ragazzi, e mi farò odiare da qualcuno.

E' assolutamente vergognoso per un forum che vanta di avere (e in effetti, a mio avviso, ha) la migliore distro di pen-testing in circolazione, inviare un'email di conferma registrazione di questo tipo:
Confermiamo la registrazione
il suo Username è: joker__
la sua Password è: pippovainvacanza (ovvio, la mia pw non ve la do;) )


E' davvero possibile che spediate un'email non cifrata con la mia password in chiaro? Spero quantomento che quando la salvate nel vostro database ne salviate un hash con salt.

Insomma, un pen-tester, un hacker, o un appassionato di sicurezza non può non esigere la sicurezza per sé. E' chiedere troppo? Io non credo. Dobbiamo iniziare a sperimentare la sicurezza nelle piccole cose.
Mi auguro che cambiate questo vostro processo di registrazione.
Se mi vedete in errore in quello che dico, fatemelo notare.

Detto ciò torno a complimentarmi per questa distro, che data la stabilità uso anche per sviluppare applicazioni.
joker__
http://piecesofsheets.wordpress.com/ [soon in english]

Stolas

Well, sending the password in clear text when registering isn't really that much of a crime.
Nor is it 'that' dangerous.
But, if you want to be a hacker, pentester whatever. You could always read the source code and find out.

$regOptions['register_vars'] = array(
'member_name' => $regOptions['username'],
'email_address' => $regOptions['email'],
'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,
'posts' => 0,
'date_registered' => time(),
'member_ip' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $user_info['ip'],
'member_ip2' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $_SERVER['BAN_CHECK_IP'],
'validation_code' => $validation_code,
'real_name' => $regOptions['username'],
'personal_text' => $modSettings['default_personal_text'],
'pm_email_notify' => 1,
'id_theme' => 0,
'id_post_group' => 4,
'lngfile' => '',
'buddy_list' => '',
'pm_ignore_list' => '',
'message_labels' => '',
'website_title' => '',
'website_url' => '',
'location' => '',
'icq' => '',
'aim' => '',
'yim' => '',
'msn' => '',
'time_format' => '',
'signature' => '',
'avatar' => '',
'usertitle' => '',
'secret_question' => '',
'secret_answer' => '',
'additional_groups' => '',
'ignore_boards' => '',
'smiley_set' => '',
'openid_uri' => (!empty($regOptions['openid']) ? $regOptions['openid'] : ''),
);


Note:

'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,


In SubMembers.php

-Stolas

ps. I don't speak Italian. Google Does.
Whenever you think you can or can't your right.

weVeg

...and change frequently password is a "good thing to do" (even after registration)....
una voce libera è sempre liberatrice
under_r00t

joker__

Quote from: Stolas on September 16, 2012, 04:57:02 PM
Well, sending the password in clear text when registering isn't really that much of a crime.
Nor is it 'that' dangerous.
I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Quote from: Stolas on September 16, 2012, 04:57:02 PM
But, if you want to be a hacker, pentester whatever. You could always read the source code and find out.

$regOptions['register_vars'] = array(
'member_name' => $regOptions['username'],
'email_address' => $regOptions['email'],
'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,
'posts' => 0,
'date_registered' => time(),
'member_ip' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $user_info['ip'],
'member_ip2' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $_SERVER['BAN_CHECK_IP'],
'validation_code' => $validation_code,
'real_name' => $regOptions['username'],
'personal_text' => $modSettings['default_personal_text'],
'pm_email_notify' => 1,
'id_theme' => 0,
'id_post_group' => 4,
'lngfile' => '',
'buddy_list' => '',
'pm_ignore_list' => '',
'message_labels' => '',
'website_title' => '',
'website_url' => '',
'location' => '',
'icq' => '',
'aim' => '',
'yim' => '',
'msn' => '',
'time_format' => '',
'signature' => '',
'avatar' => '',
'usertitle' => '',
'secret_question' => '',
'secret_answer' => '',
'additional_groups' => '',
'ignore_boards' => '',
'smiley_set' => '',
'openid_uri' => (!empty($regOptions['openid']) ? $regOptions['openid'] : ''),
);


Note:

'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,


In SubMembers.php

Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)

Quote from: Stolas on September 16, 2012, 04:57:02 PM
ps. I don't speak Italian. Google Does.

You're right. So sorry not to have written in English.

Sincerely
joker__
http://piecesofsheets.wordpress.com/ [soon in english]

Stolas

Quote from: joker__ on September 16, 2012, 05:32:32 PM
I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.
Well, the MITM is unlikely and mostly an 'acceptable' issue. It's not the best way. But as you send your password in cleartext to the server anyway. the MITM on the way back isn't really a serious business case. In theory yes, it's horrible. And yes I do agree that it shouldn't happen. I am just pointing out, that it isn't really that big of an issue.

Quote from: joker__ on September 16, 2012, 05:32:32 PM
Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)
At the bottom of the page you see:
QuotePowered by SMF 1.1.16 | SMF © 2011, Simple Machines
Reference by, Crip
If you click it you get to this forums developers webpage and you can download the source.

Backbox can ofcourse have Backdoor'd this script. And removed the hashing before it's saved in the database. But I 'Trust' backbox.
Not with my Banking password, but with my BackBox password.

also, in the same file, read line 522 ~ 527 and you'll see:
if (!empty($regOptions['check_reserved_name']) && isReservedName($regOptions['username'], 0, false))
{
if ($regOptions['password'] == 'chocolate cake')
$reg_errors[] = array('done', 'Sorry, I don\'t take bribes... you\'ll need to come up with a different name.');
$reg_errors[] = array('done', '(' . htmlspecialchars($regOptions['username']) . ') ' . $txt['name_in_use']);
}


Thought that was a funny share.
Whenever you think you can or can't your right.

joker__

Quote from: Stolas on September 16, 2012, 06:08:58 PM
Quote from: joker__ on September 16, 2012, 05:32:32 PM
I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.
Well, the MITM is unlikely and mostly an 'acceptable' issue. It's not the best way. But as you send your password in cleartext to the server anyway. the MITM on the way back isn't really a serious business case. In theory yes, it's horrible. And yes I do agree that it shouldn't happen. I am just pointing out, that it isn't really that big of an issue.
Yes, man, you're right in what you said about mitm. But my point of view is that sharing the information "password" by mail is not even futile, but it also enlarge the possible attack surface. I would suggest you this link: http://www.schneier.com/blog/archives/2012/08/yet_another_ris.html It simply shows how an information considered useless at the most of the people, could be used by an attacker for malicious scopes.

Quote from: Stolas on September 16, 2012, 06:08:58 PM
Quote from: joker__ on September 16, 2012, 05:32:32 PM
Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)
At the bottom of the page you see:
QuotePowered by SMF 1.1.16 | SMF © 2011, Simple Machines
Reference by, Crip
If you click it you get to this forums developers webpage and you can download the source.

Backbox can ofcourse have Backdoor'd this script. And removed the hashing before it's saved in the database. But I 'Trust' backbox.
Not with my Banking password, but with my BackBox password.
Thank you! Oh, yes, of course...:)

Quote from: Stolas on September 16, 2012, 06:08:58 PM
also, in the same file, read line 522 ~ 527 and you'll see:
if (!empty($regOptions['check_reserved_name']) && isReservedName($regOptions['username'], 0, false))
{
if ($regOptions['password'] == 'chocolate cake')
$reg_errors[] = array('done', 'Sorry, I don\'t take bribes... you\'ll need to come up with a different name.');
$reg_errors[] = array('done', '(' . htmlspecialchars($regOptions['username']) . ') ' . $txt['name_in_use']);
}


Thought that was a funny share.
Lol, this is really funny:) Thanks for sharing

joker__
joker__
http://piecesofsheets.wordpress.com/ [soon in english]

evilsocket

Quote from: joker__ on September 16, 2012, 05:32:32 PM
I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Seriously ?! And what if you have a keylogger on your computer and it's logging everything you are using to login onto web services ? C'mon, we can't be responsible for the security of YOUR email account, if the password restore procedure of this forum is not as you want it to be, then just change your password once you are in your user panel ... i really don't see the point of your post ... really.

joker__

Quote from: evilsocket on September 24, 2012, 01:31:50 AM
Quote from: joker__ on September 16, 2012, 05:32:32 PM
I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Seriously ?! And what if you have a keylogger on your computer and it's logging everything you are using to login onto web services ? C'mon, we can't be responsible for the security of YOUR email account, if the password restore procedure of this forum is not as you want it to be, then just change your password once you are in your user panel ... i really don't see the point of your post ... really.

I thought this post was closed.
By the way, evil, I still don't see the point of sending me the password I chose 5 seconds before, then.
And I can't understand your sarcastic tone.
Anyway thank you for your answer. My post was intended to be a discussion post. Take it as: "What do you think about sending the user password, after registration?". Was my tone bad? So sorry.
After all, evil, i do regard your works very highly, and if you think my idea was wrong i'll keep it in mind. :)
Ciao,

joker
joker__
http://piecesofsheets.wordpress.com/ [soon in english]

evilsocket

My tone wasn't sarcastic, it was realistic ... i REALLY meant we can't be responsible for your accounts except this one on BB forum.
Personally i find this feature very useful, since i tend to forget my passwords, some of them are stored in my email account ( which obviously has a stronger password than the others ;) ) ... if someone would hack into my email, trust me, my bb account would be the last thing i would care of :D

In any case, i was a little rough maybe, that's because you put your discussion as "what an awful security flaw you have!!!!", and since:


  • This forum is SMF powered, not our software.
  • What you said is not properly a security flaw, literally speaking, but just a feature ( wow sounds like microsoft policy :D )
  • I really can't stand i-know-it-all people ( i know you are not one of those, but you sounded like that )

i was pissed of :D

joker__

Quote from: evilsocket on September 24, 2012, 07:47:18 PM
My tone wasn't sarcastic, it was realistic ... i REALLY meant we can't be responsible for your accounts except this one on BB forum.
Personally i find this feature very useful, since i tend to forget my passwords, some of them are stored in my email account ( which obviously has a stronger password than the others ;) ) ... if someone would hack into my email, trust me, my bb account would be the last thing i would care of :D

Lol, i'm sure:) Ok, i'd never save a pw on my mail account, even if protected...but that's ok, in google we trust.

Quote from: evilsocket on September 24, 2012, 07:47:18 PM
In any case, i was a little rough maybe, that's because you put your discussion as "what an awful security flaw you have!!!!", and since:


  • This forum is SMF powered, not our software.
  • What you said is not properly a security flaw, literally speaking, but just a feature ( wow sounds like microsoft policy :D )
  • I really can't stand i-know-it-all people ( i know you are not one of those, but you sounded like that )

i was pissed of :D

Yes, I know. Coming back to my starting post it was a bit...polemic. Is that I saw a registration procedure like the backbox.com one on an italian administration site (public administration, you know...)...and I thought it was quite idiot.
But no, of course, this is not a flaw, and i'm not a 0day man;)

I may understand your reaction: forums are full of "i-know-it-all people" as you say, i guess.
I'm new to forums, in general...hoping to learn something new. :)
Nice to meet you:)
joker__
http://piecesofsheets.wordpress.com/ [soon in english]

evilsocket



bbcue

yeah it stincks very hard but i'm just too tired and paranoiac a lot
(and never trust, never listen the music, just play it free)