26

Re: Security of Pun's authentification

guys! we a re talking about moving authorization metod from cookie to sessions! its MUCH more secure to store data at server than at client, any malicious hacker can get punbb authorization data from cookie with javascript(of course if the browser allows it and most of them do, by default)

27

Re: Security of Pun's authentification

XuMiX bingo! smile

Re: Security of Pun's authentification

XuMiX: Anyone can get PunBB authorization data from cookie with JavaScript? Show me. That can only happen if PunBB has an XSS vulnerability.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

29

Re: Security of Pun's authentification

XuMiX wrote:

guys! we a re talking about moving authorization metod from cookie to sessions! its MUCH more secure to store data at server than at client, any malicious hacker can get punbb authorization data from cookie with javascript(of course if the browser allows it and most of them do, by default)

I hardly know a thing about sessions, but it just seems weird that hardly any other forum packages use them...

30

Re: Security of Pun's authentification

lol, phpbb, ipb use them at least

31 (edited by Andy 2005-04-07 11:13)

Re: Security of Pun's authentification

XuMiX wrote:

lol, phpbb, ipb use them at least

But they still use cookies as well for the authentication system...

32

Re: Security of Pun's authentification

yes, but not to store user's data

33

Re: Security of Pun's authentification

OK, my bad.

Re: Security of Pun's authentification

The fact remains. If PunBB has a security weakspot, it is not in it's authentication system.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

35

Re: Security of Pun's authentification

ok, i'll try to break it soon smile

36 (edited by Orpheus 2005-04-07 14:50)

Re: Security of Pun's authentification

Your right when you say that sessions would be stronger overall. The password(in md5) will then no longer be present in your cookies.  But still its vulnerable.

Still some could steal your cookie by an XSS attack. And use your session for the remaining time.

A some what more of an security issue. Is the way you can change your password in profile.php.

Last week I logged into my forum as admin at my brothers pc. After a short break a came back online at a different pc. Noticed that I no longer could log in as admin. And that my password was changed. Just before I wanted to change it directly in MySQL . My brother said he had changed the pass for the fun.

So really nothing to worry about.

The moral of this story is. That punbb should ask for your old password when changing to a new password.

I?m sorry if this is already done . Because at that time I was running punbb 1.2 .


Whoops just noticed it that it allready has been fixed.

Re: Security of Pun's authentification

Orpheus wrote:

The moral of this story is. That punbb should ask for your old password when changing to a new password.

It does. Not for administrators though.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Security of Pun's authentification

The real morale of the story is don't let your brother on your PC tongue

Re: Security of Pun's authentification

Well Connorhd your right  you can't even trust you're own family. smile But still would be nice if punBB 1.3 would ask your old password to if your an admin.

40

Re: Security of Pun's authentification

So we decided to try session method of store personal data.
Soon, as I think, we'll  tell you about results. wink

Re: Security of Pun's authentification

but surely you still need to use a cookie for when the session expires?

Re: Security of Pun's authentification

Orpheus wrote:

Well Connorhd your right  you can't even trust you're own family. smile But still would be nice if punBB 1.3 would ask your old password to if your an admin.

Admins changing the password of others don't know the original pass wink

43 (edited by buzzkill 2005-04-08 16:04)

Re: Security of Pun's authentification

Smartys wrote:
Orpheus wrote:

Well Connorhd your right  you can't even trust you're own family. smile But still would be nice if punBB 1.3 would ask your old password to if your an admin.

Admins changing the password of others don't know the original pass wink

I think he is refering to when an admin changes his/her password in the admin.  It does not ask for current password .

Rickard wrote:

It does. Not for administrators though.

44 (edited by spec 2005-04-08 16:11)

Re: Security of Pun's authentification

Connorhd wrote:

but surely you still need to use a cookie for when the session expires?

Why? Is it a affirmation or question ? smile

Re: Security of Pun's authentification

sort of a question, anyway my logic is, how will punbb know if your logged in when you come back without a cookie?

Re: Security of Pun's authentification

SSL/https ...

Re: Security of Pun's authentification

sorry but wtf?

Re: Security of Pun's authentification

if you want secure authentication, then you should make sure the data transferred is encoded in some way, preferably all data you send ... md5:ing a password on client side feels no more secure than plain text IMHO (if they try to bruteforce by using commong words, they just md5 aswell, if they're sniffing traffic, they get the same information) ... if the md5 on clientside is supposed to work, one would need a unique extra md5 baked into it,(preferably unique per user & forum) ... but as long as it's http, network sniffers will still get all the info they need...

I would never use http for things I want secure... there's a reason banks etc use ssl/s-http etc...

Re: Security of Pun's authentification

ssl doesn't make your cookie more secure or your login for that matter.
The only thing SSL does. Is encrypt your data. It is still possible to hijack your cookie with ssl enabled.

The banks simply use ssl to make sure when your banking that somebody who is listing on your line can't read the data without the keys.
But is doesn't mean that somebody can't login under your name. or use some kind of xss hack.

A good auth would involve a handshake . Something like what the ssh and ssl protocol do.  But what ever you choose there is allways the need for the cookie.

What ever you cookie may contain. a session id or an encrypted password.
So you can make your auth as strong as you like. But when somebody can make an XSS hack that steals your cookie it's useless.

PS ssl and ssh are as strong as the encypted methods used. For example if your using blowfish or some other older encryption method. Your begging for trouble.

50 (edited by buzzkill 2005-04-08 23:13)

Re: Security of Pun's authentification

Let me ask one question. As a developer, how do you determine whats best, and how do you check your code for vulnerabilities? I am relatively new to PHP. I can usually read it better than I can develop with it.  I have learned from books, tutorials, and other on-line resources.  The one thing that I have learned, is that it seems like there is no one source that says, "this is how you should do it."  Like there is some big secret society that wont leak out information. lol 

I just want to learn how to make an authetication system, thats secure, with using PHP/MySQL. And will run on different webservers. Is that to much to ask? (sarcasim).  Every book that I have read, or tutorial/artcile I have read, seems to tip-toe around the subject.