Pages: [1]   Go Down
Print
Author Topic: Questa non è sicurezza  (Read 81771 times)
joker__
Newbie
*
Posts: 13


View Profile WWW
« on: September 16, 2012, 02:26:43 PM »

Primo post, ragazzi, e mi farò odiare da qualcuno.

E' assolutamente vergognoso per un forum che vanta di avere (e in effetti, a mio avviso, ha) la migliore distro di pen-testing in circolazione, inviare un'email di conferma registrazione di questo tipo:
Confermiamo la registrazione
il suo Username è: joker__
la sua Password è: pippovainvacanza (ovvio, la mia pw non ve la do;) )


E' davvero possibile che spediate un'email non cifrata con la mia password in chiaro? Spero quantomento che quando la salvate nel vostro database ne salviate un hash con salt.

Insomma, un pen-tester, un hacker, o un appassionato di sicurezza non può non esigere la sicurezza per sé. E' chiedere troppo? Io non credo. Dobbiamo iniziare a sperimentare la sicurezza nelle piccole cose.
Mi auguro che cambiate questo vostro processo di registrazione.
Se mi vedete in errore in quello che dico, fatemelo notare.

Detto ciò torno a complimentarmi per questa distro, che data la stabilità uso anche per sviluppare applicazioni.
« Last Edit: February 02, 2013, 06:37:04 PM by raffaele » Logged

joker__
http://piecesofsheets.wordpress.com/ [soon in english]
Stolas
Newbie
*
Posts: 45


View Profile
« Reply #1 on: September 16, 2012, 03:57:02 PM »

Well, sending the password in clear text when registering isn't really that much of a crime.
Nor is it 'that' dangerous.
But, if you want to be a hacker, pentester whatever. You could always read the source code and find out.
Code:
$regOptions['register_vars'] = array(
'member_name' => $regOptions['username'],
'email_address' => $regOptions['email'],
'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,
'posts' => 0,
'date_registered' => time(),
'member_ip' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $user_info['ip'],
'member_ip2' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $_SERVER['BAN_CHECK_IP'],
'validation_code' => $validation_code,
'real_name' => $regOptions['username'],
'personal_text' => $modSettings['default_personal_text'],
'pm_email_notify' => 1,
'id_theme' => 0,
'id_post_group' => 4,
'lngfile' => '',
'buddy_list' => '',
'pm_ignore_list' => '',
'message_labels' => '',
'website_title' => '',
'website_url' => '',
'location' => '',
'icq' => '',
'aim' => '',
'yim' => '',
'msn' => '',
'time_format' => '',
'signature' => '',
'avatar' => '',
'usertitle' => '',
'secret_question' => '',
'secret_answer' => '',
'additional_groups' => '',
'ignore_boards' => '',
'smiley_set' => '',
'openid_uri' => (!empty($regOptions['openid']) ? $regOptions['openid'] : ''),
);

Note:
Code:

'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,

In SubMembers.php

 -Stolas

ps. I don't speak Italian. Google Does.
Logged

Whenever you think you can or can't your right.
weVeg
Hero Member
*****
Posts: 737


View Profile
« Reply #2 on: September 16, 2012, 04:12:05 PM »

...and change frequently password is a "good thing to do" (even after registration)....
Logged

una voce libera è sempre liberatrice
under_r00t
joker__
Newbie
*
Posts: 13


View Profile WWW
« Reply #3 on: September 16, 2012, 04:32:32 PM »

Well, sending the password in clear text when registering isn't really that much of a crime.
Nor is it 'that' dangerous.
I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

But, if you want to be a hacker, pentester whatever. You could always read the source code and find out.
Code:
$regOptions['register_vars'] = array(
'member_name' => $regOptions['username'],
'email_address' => $regOptions['email'],
'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,
'posts' => 0,
'date_registered' => time(),
'member_ip' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $user_info['ip'],
'member_ip2' => $regOptions['interface'] == 'admin' ? '127.0.0.1' : $_SERVER['BAN_CHECK_IP'],
'validation_code' => $validation_code,
'real_name' => $regOptions['username'],
'personal_text' => $modSettings['default_personal_text'],
'pm_email_notify' => 1,
'id_theme' => 0,
'id_post_group' => 4,
'lngfile' => '',
'buddy_list' => '',
'pm_ignore_list' => '',
'message_labels' => '',
'website_title' => '',
'website_url' => '',
'location' => '',
'icq' => '',
'aim' => '',
'yim' => '',
'msn' => '',
'time_format' => '',
'signature' => '',
'avatar' => '',
'usertitle' => '',
'secret_question' => '',
'secret_answer' => '',
'additional_groups' => '',
'ignore_boards' => '',
'smiley_set' => '',
'openid_uri' => (!empty($regOptions['openid']) ? $regOptions['openid'] : ''),
);

Note:
Code:

'passwd' => sha1(strtolower($regOptions['username']) . $regOptions['password']),
'password_salt' => substr(md5(mt_rand()), 0, 4) ,

In SubMembers.php

Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)

ps. I don't speak Italian. Google Does.

You're right. So sorry not to have written in English.

Sincerely
Logged

joker__
http://piecesofsheets.wordpress.com/ [soon in english]
Stolas
Newbie
*
Posts: 45


View Profile
« Reply #4 on: September 16, 2012, 05:08:58 PM »

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.
Well, the MITM is unlikely and mostly an 'acceptable' issue. It's not the best way. But as you send your password in cleartext to the server anyway. the MITM on the way back isn't really a serious business case. In theory yes, it's horrible. And yes I do agree that it shouldn't happen. I am just pointing out, that it isn't really that big of an issue.

Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)
At the bottom of the page you see:
Quote
Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Reference by, Crip
If you click it you get to this forums developers webpage and you can download the source.

Backbox can ofcourse have Backdoor'd this script. And removed the hashing before it's saved in the database. But I 'Trust' backbox.
Not with my Banking password, but with my BackBox password.

also, in the same file, read line 522 ~ 527 and you'll see:
Code:
if (!empty($regOptions['check_reserved_name']) && isReservedName($regOptions['username'], 0, false))
{
if ($regOptions['password'] == 'chocolate cake')
$reg_errors[] = array('done', 'Sorry, I don\'t take bribes... you\'ll need to come up with a different name.');
$reg_errors[] = array('done', '(' . htmlspecialchars($regOptions['username']) . ') ' . $txt['name_in_use']);
}

Thought that was a funny share.
Logged

Whenever you think you can or can't your right.
joker__
Newbie
*
Posts: 13


View Profile WWW
« Reply #5 on: September 16, 2012, 06:33:32 PM »

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.
Well, the MITM is unlikely and mostly an 'acceptable' issue. It's not the best way. But as you send your password in cleartext to the server anyway. the MITM on the way back isn't really a serious business case. In theory yes, it's horrible. And yes I do agree that it shouldn't happen. I am just pointing out, that it isn't really that big of an issue.
Yes, man, you're right in what you said about mitm. But my point of view is that sharing the information "password" by mail is not even futile, but it also enlarge the possible attack surface. I would suggest you this link: http://www.schneier.com/blog/archives/2012/08/yet_another_ris.html It simply shows how an information considered useless at the most of the people, could be used by an attacker for malicious scopes.

Where did you find this code? I thought php was supposed to be hidden to users...you never stop learning:)
At the bottom of the page you see:
Quote
Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Reference by, Crip
If you click it you get to this forums developers webpage and you can download the source.

Backbox can ofcourse have Backdoor'd this script. And removed the hashing before it's saved in the database. But I 'Trust' backbox.
Not with my Banking password, but with my BackBox password.
Thank you! Oh, yes, of course...Smiley

also, in the same file, read line 522 ~ 527 and you'll see:
Code:
if (!empty($regOptions['check_reserved_name']) && isReservedName($regOptions['username'], 0, false))
{
if ($regOptions['password'] == 'chocolate cake')
$reg_errors[] = array('done', 'Sorry, I don\'t take bribes... you\'ll need to come up with a different name.');
$reg_errors[] = array('done', '(' . htmlspecialchars($regOptions['username']) . ') ' . $txt['name_in_use']);
}

Thought that was a funny share.
Lol, this is really funny:) Thanks for sharing

joker__
Logged

joker__
http://piecesofsheets.wordpress.com/ [soon in english]
evilsocket
Full Member
***
Posts: 177


View Profile WWW
« Reply #6 on: September 24, 2012, 12:31:50 AM »

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Seriously ?! And what if you have a keylogger on your computer and it's logging everything you are using to login onto web services ? C'mon, we can't be responsible for the security of YOUR email account, if the password restore procedure of this forum is not as you want it to be, then just change your password once you are in your user panel ... i really don't see the point of your post ... really.
Logged

joker__
Newbie
*
Posts: 13


View Profile WWW
« Reply #7 on: September 24, 2012, 06:39:23 PM »

I can't agree with this sentence: mitm is not the only possible attack. A more "physical" attack, as reading victim's emails from his computer. And what about a trojan that wants to get informations about the victim? It could easy dump all its emails.
And what if the victim is using the same pw for more accounts? Ok, this is another point of view: the victim is just stupid.
Although i think that, supposing i "know" how to protect my informations: a forum should not compromise my security idea.
Have you ever asked yourself why google, wordpress, nor yahoo services replies your registration with your password in cleartext? omg, it would be so simple changing this registration method, avoiding this flaw.

Seriously ?! And what if you have a keylogger on your computer and it's logging everything you are using to login onto web services ? C'mon, we can't be responsible for the security of YOUR email account, if the password restore procedure of this forum is not as you want it to be, then just change your password once you are in your user panel ... i really don't see the point of your post ... really.

I thought this post was closed.
By the way, evil, I still don't see the point of sending me the password I chose 5 seconds before, then.
And I can't understand your sarcastic tone.
Anyway thank you for your answer. My post was intended to be a discussion post. Take it as: "What do you think about sending the user password, after registration?". Was my tone bad? So sorry.
After all, evil, i do regard your works very highly, and if you think my idea was wrong i'll keep it in mind. Smiley
Ciao,

joker
Logged

joker__
http://piecesofsheets.wordpress.com/ [soon in english]
evilsocket
Full Member
***
Posts: 177


View Profile WWW
« Reply #8 on: September 24, 2012, 06:47:18 PM »

My tone wasn't sarcastic, it was realistic ... i REALLY meant we can't be responsible for your accounts except this one on BB forum.
Personally i find this feature very useful, since i tend to forget my passwords, some of them are stored in my email account ( which obviously has a stronger password than the others Wink ) ... if someone would hack into my email, trust me, my bb account would be the last thing i would care of Cheesy

In any case, i was a little rough maybe, that's because you put your discussion as "what an awful security flaw you have!!!!", and since:

  • This forum is SMF powered, not our software.
  • What you said is not properly a security flaw, literally speaking, but just a feature ( wow sounds like microsoft policy Cheesy )
  • I really can't stand i-know-it-all people ( i know you are not one of those, but you sounded like that )

i was pissed of Cheesy
Logged

joker__
Newbie
*
Posts: 13


View Profile WWW
« Reply #9 on: September 24, 2012, 07:48:10 PM »

My tone wasn't sarcastic, it was realistic ... i REALLY meant we can't be responsible for your accounts except this one on BB forum.
Personally i find this feature very useful, since i tend to forget my passwords, some of them are stored in my email account ( which obviously has a stronger password than the others Wink ) ... if someone would hack into my email, trust me, my bb account would be the last thing i would care of Cheesy

Lol, i'm sure:) Ok, i'd never save a pw on my mail account, even if protected...but that's ok, in google we trust.

In any case, i was a little rough maybe, that's because you put your discussion as "what an awful security flaw you have!!!!", and since:

  • This forum is SMF powered, not our software.
  • What you said is not properly a security flaw, literally speaking, but just a feature ( wow sounds like microsoft policy Cheesy )
  • I really can't stand i-know-it-all people ( i know you are not one of those, but you sounded like that )

i was pissed of Cheesy

Yes, I know. Coming back to my starting post it was a bit...polemic. Is that I saw a registration procedure like the backbox.com one on an italian administration site (public administration, you know...)...and I thought it was quite idiot.
But no, of course, this is not a flaw, and i'm not a 0day man;)

I may understand your reaction: forums are full of "i-know-it-all people" as you say, i guess.
I'm new to forums, in general...hoping to learn something new. Smiley
Nice to meet you:)
Logged

joker__
http://piecesofsheets.wordpress.com/ [soon in english]
evilsocket
Full Member
***
Posts: 177


View Profile WWW
« Reply #10 on: September 24, 2012, 07:49:23 PM »

sounds better, peace Smiley
Logged

joker__
Newbie
*
Posts: 13


View Profile WWW
« Reply #11 on: September 24, 2012, 08:43:57 PM »

peace^^
Logged

joker__
http://piecesofsheets.wordpress.com/ [soon in english]
bbcue
Newbie
*
Posts: 4


View Profile
« Reply #12 on: January 28, 2013, 02:28:43 AM »

yeah it stincks very hard but i'm just too tired and paranoiac a lot
Logged

(and never trust, never listen the music, just play it free)
Pages: [1]   Go Up
Print
Jump to: