Questa non è sicurezza

[joker__]

Primo post, ragazzi, e mi farò odiare da qualcuno.

E' assolutamente vergognoso per un forum che vanta di avere (e in effetti, a mio avviso, ha) la migliore distro di pen-testing in circolazione, inviare un'email di conferma registrazione di questo tipo:
Confermiamo la registrazione
il suo Username è: joker__
la sua Password è: pippovainvacanza (ovvio, la mia pw non ve la do;) )

E' davvero possibile che spediate un'email non cifrata con la mia password in chiaro? Spero quantomento che quando la salvate nel vostro database ne salviate un hash con salt.

Insomma, un pen-tester, un hacker, o un appassionato di sicurezza non può non esigere la sicurezza per sé. E' chiedere troppo? Io non credo. Dobbiamo iniziare a sperimentare la sicurezza nelle piccole cose.
Mi auguro che cambiate questo vostro processo di registrazione.
Se mi vedete in errore in quello che dico, fatemelo notare.

Detto ciò torno a complimentarmi per questa distro, che data la stabilità uso anche per sviluppare applicazioni.

[Stolas]

Well, sending the password in clear text when registering isn't really that much of a crime.
Nor is it 'that' dangerous.
But, if you want to be a hacker, pentester whatever. You could always read the source code and find out.

Code: [Select]

$regOptions['register_vars'] = array(
'member_name' => $regOptions['username'],
'email_address' => $regOptions['email'],
'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,
'posts' => 0,
'date_registered' => time(),
'member_ip' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $user_info['ip'],
'member_ip2' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $_SERVER['BAN_CHECK_IP'],
'validation_code' => $validation_code,
'real_name' => $regOptions['username'],
'personal_text' => $modSettings['default_personal_text'],
'pm_email_notify' => 1,
'id_theme' => 0,
'id_post_group' => 4,
'lngfile' => '',
'buddy_list' => '',
'pm_ignore_list' => '',
'message_labels' => '',
'website_title' => '',
'website_url' => '',
'location' => '',
'icq' => '',
'aim' => '',
'yim' => '',
'msn' => '',
'time_format' => '',
'signature' => '',
'avatar' => '',
'usertitle' => '',
'secret_question' => '',
'secret_answer' => '',
'additional_groups' => '',
'ignore_boards' => '',
'smiley_set' => '',
'openid_uri' => (!empty($regOptions['openid']) ? $regOptions['openid'] : ''),
);

Note:

Code: [Select]


'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,
In SubMembers.php

 -Stolas

ps. I don't speak Italian. Google Does.

[weVeg]

...and change frequently password is a "good thing to do" (even after registration)....

[joker__]

Well, sending the password in clear text when registering isn't really that much of a crime.
Nor is it 'that' dangerous.

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

But, if you want to be a hacker, pentester whatever. You could always read the source code and find out.

Code: [Select]

$regOptions['register_vars'] = array(
'member_name' => $regOptions['username'],
'email_address' => $regOptions['email'],
'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,
'posts' => 0,
'date_registered' => time(),
'member_ip' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $user_info['ip'],
'member_ip2' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $_SERVER['BAN_CHECK_IP'],
'validation_code' => $validation_code,
'real_name' => $regOptions['username'],
'personal_text' => $modSettings['default_personal_text'],
'pm_email_notify' => 1,
'id_theme' => 0,
'id_post_group' => 4,
'lngfile' => '',
'buddy_list' => '',
'pm_ignore_list' => '',
'message_labels' => '',
'website_title' => '',
'website_url' => '',
'location' => '',
'icq' => '',
'aim' => '',
'yim' => '',
'msn' => '',
'time_format' => '',
'signature' => '',
'avatar' => '',
'usertitle' => '',
'secret_question' => '',
'secret_answer' => '',
'additional_groups' => '',
'ignore_boards' => '',
'smiley_set' => '',
'openid_uri' => (!empty($regOptions['openid']) ? $regOptions['openid'] : ''),
);

Note:

Code: [Select]


'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,
In SubMembers.php

Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)

ps. I don't speak Italian. Google Does.

You're right. So sorry not to have written in English.

Sincerely

[Stolas]

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Well, the MITM is unlikely and mostly an 'acceptable' issue. It's not the best way. But as you send your password in cleartext to the server anyway. the MITM on the way back isn't really a serious business case. In theory yes, it's horrible. And yes I do agree that it shouldn't happen. I am just pointing out, that it isn't really that big of an issue.

Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)

At the bottom of the page you see:

Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Reference by, Crip

If you click it you get to this forums developers webpage and you can download the source.

Backbox can ofcourse have Backdoor'd this script. And removed the hashing before it's saved in the database. But I 'Trust' backbox.
Not with my Banking password, but with my BackBox password.

also, in the same file, read line 522 ~ 527 and you'll see:

Code: [Select]

if (!empty($regOptions['check_reserved_name']) && isReservedName($regOptions['username'], 0, false))
{
if ($regOptions['password'] == 'chocolate cake')
$reg_errors[] = array('done', 'Sorry, I don\'t take bribes... you\'ll need to come up with a different name.');
$reg_errors[] = array('done', '(' . htmlspecialchars($regOptions['username']) . ') ' . $txt['name_in_use']);
}
Thought that was a funny share.

[joker__]

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Well, the MITM is unlikely and mostly an 'acceptable' issue. It's not the best way. But as you send your password in cleartext to the server anyway. the MITM on the way back isn't really a serious business case. In theory yes, it's horrible. And yes I do agree that it shouldn't happen. I am just pointing out, that it isn't really that big of an issue.

Yes, man, you're right in what you said about mitm. But my point of view is that sharing the information "password" by mail is not even futile, but it also enlarge the possible attack surface. I would suggest you this link: http://www.schneier.com/blog/archives/2012/08/yet_another_ris.html It simply shows how an information considered useless at the most of the people, could be used by an attacker for malicious scopes.

Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)

At the bottom of the page you see:

Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Reference by, Crip

If you click it you get to this forums developers webpage and you can download the source.

Backbox can ofcourse have Backdoor'd this script. And removed the hashing before it's saved in the database. But I 'Trust' backbox.
Not with my Banking password, but with my BackBox password.

Thank you! Oh, yes, of course...

also, in the same file, read line 522 ~ 527 and you'll see:

Code: [Select]

if (!empty($regOptions['check_reserved_name']) && isReservedName($regOptions['username'], 0, false))
{
if ($regOptions['password'] == 'chocolate cake')
$reg_errors[] = array('done', 'Sorry, I don\'t take bribes... you\'ll need to come up with a different name.');
$reg_errors[] = array('done', '(' . htmlspecialchars($regOptions['username']) . ') ' . $txt['name_in_use']);
}
Thought that was a funny share.

Lol, this is really funny:) Thanks for sharing

joker__

[evilsocket]

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Seriously ?! And what if you have a keylogger on your computer and it's logging everything you are using to login onto web services ? C'mon, we can't be responsible for the security of YOUR email account, if the password restore procedure of this forum is not as you want it to be, then just change your password once you are in your user panel ... i really don't see the point of your post ... really.

[joker__]

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Seriously ?! And what if you have a keylogger on your computer and it's logging everything you are using to login onto web services ? C'mon, we can't be responsible for the security of YOUR email account, if the password restore procedure of this forum is not as you want it to be, then just change your password once you are in your user panel ... i really don't see the point of your post ... really.

I thought this post was closed.
By the way, evil, I still don't see the point of sending me the password I chose 5 seconds before, then.
And I can't understand your sarcastic tone.
Anyway thank you for your answer. My post was intended to be a discussion post. Take it as: "What do you think about sending the user password, after registration?". Was my tone bad? So sorry.
After all, evil, i do regard your works very highly, and if you think my idea was wrong i'll keep it in mind.
Ciao,

joker

[evilsocket]

My tone wasn't sarcastic, it was realistic ... i REALLY meant we can't be responsible for your accounts except this one on BB forum.
Personally i find this feature very useful, since i tend to forget my passwords, some of them are stored in my email account ( which obviously has a stronger password than the others ) ... if someone would hack into my email, trust me, my bb account would be the last thing i would care of

In any case, i was a little rough maybe, that's because you put your discussion as "what an awful security flaw you have!!!!", and since:

• This forum is SMF powered, not our software.
• What you said is not properly a security flaw, literally speaking, but just a feature ( wow sounds like microsoft policy )
• I really can't stand i-know-it-all people ( i know you are not one of those, but you sounded like that )

i was pissed of

[joker__]

My tone wasn't sarcastic, it was realistic ... i REALLY meant we can't be responsible for your accounts except this one on BB forum.
Personally i find this feature very useful, since i tend to forget my passwords, some of them are stored in my email account ( which obviously has a stronger password than the others ) ... if someone would hack into my email, trust me, my bb account would be the last thing i would care of

Lol, i'm sure:) Ok, i'd never save a pw on my mail account, even if protected...but that's ok, in google we trust.

In any case, i was a little rough maybe, that's because you put your discussion as "what an awful security flaw you have!!!!", and since:

• This forum is SMF powered, not our software.
• What you said is not properly a security flaw, literally speaking, but just a feature ( wow sounds like microsoft policy )
• I really can't stand i-know-it-all people ( i know you are not one of those, but you sounded like that )

i was pissed of

Yes, I know. Coming back to my starting post it was a bit...polemic. Is that I saw a registration procedure like the backbox.com one on an italian administration site (public administration, you know...)...and I thought it was quite idiot.
But no, of course, this is not a flaw, and i'm not a 0day man;)

I may understand your reaction: forums are full of "i-know-it-all people" as you say, i guess.
I'm new to forums, in general...hoping to learn something new.
Nice to meet you:)

[evilsocket]

sounds better, peace

[joker__]

peace^^

[bbcue]

yeah it stincks very hard but i'm just too tired and paranoiac a lot

[Oksi]

Hey guys, I have just finished reading over my custom research paper. You didn't miss a beat. Every single thing I asked for is right there. Thank you so much. It looks great. (helpful site)