Security offense!! Access denied!

testör · January 26, 2011, 09:10:39 PM

Security is always a bunch of combination - have a look here: http://drupal.org/writing-secure-code
Or have a look here: http://wiki.phpbb.com/display/DEV/Function.check+form+key and http://blog.phpbb.com/2009/01/14/fighting-csrf/ (phpBB uses quite the same form-key validation as SecureForm).

pcwacht · January 26, 2011, 08:51:47 PM

Not saying I wouldn't like the new idea around issues etc.

Logic of an other solution could be:

User logs in and gets a secret key only known to server with wich it scrambles the form tags (FTAN)
This secret key is time limited, say default 5 minutes or so wich could be upped if needed, thus the ftan lifetime is limited as well

As long as the FTAN key matches with the secret key it is ok.
This way the same ftan could be used on diff pages for the same user at the same time.

Kinda like windows uses kerberos

I must say, reading all this protection measurements wich are currently build into the new core of wb, php code wich can't use includes, eval etc, FTAN per page wich obstructs multipage editing, naming the two I know about, I am starting to get less eager to see the new WB in action.

John

NorHei · January 26, 2011, 07:46:07 PM

Many still are insecure..
And many have similar problem like WB.

How about some of us go and check how its done in other CMS , i am sure the devs would be happy to implement a better solution.

BlackBird · January 26, 2011, 07:00:08 PM

The most secure Computer of the world is locked inside a safe, powered off. The only problem is that you can't use it for anything.

maverik · January 26, 2011, 06:48:41 PM

Ich bin Jäger und Sammler und so gibt es nicht viele CMS, Counter oder Groupware die ich noch nicht installiert und getestet habe.
So ein Verhalten wie WB jetzt an den Tag legt ist mir aber noch nicht untergekommen. Und mit anderen Systemen arbeite ich in gleicher Weise.

Sind diese Systeme alle unsicher?

In den letzten 5 Jahren hatte ich also mit WB "Tag der offenen Tür" und es ist nichts passiert. Jetzt habe ich so viele Türen und Schlösser dass ich selbst nicht mehr vom Ostflügel in den Weinkeller und danach ins Kaminzimmer komme.

##################### Google Translation ###################################

I'm the hunter-gatherers and so there are not many CMS, Counter, or groupware that I have not yet installed and tested.
Such a behavior such as WB now is the day I shall not yet seen. And I work with other systems in the same way.

All these systems are insecure?

In the last 5 years I had with WB so "open day" and nothing happened. Now I have so many doors and locks that I myself no longer in the east wing of the cellar and then into the fireplace come.

Argos · January 26, 2011, 06:09:24 PM

Indeed , stefek.

Stefek · January 26, 2011, 06:05:32 PM

I must say, that I don't like the new "feature" if it changes the way on how to work with the CMS.
They are long term habbits.

Quote from: Argos on January 26, 2011, 05:10:24 PM
Copy/paste doesn't seem to be a big problem to me. What is more problematic is doing bulk editing to a large number of pages, for example modifying settings or user rights.

Exactly.
Another situaton is, for example:
You are working on a page but you want to quickly change something in settings/user access or at a different place.
You open a new window with the "open link in new window" command (mouse, context menu etc.)
But you cant change anything... you have no access

I hope there is another way to grant security.
Even though security is first, don't forget about the usability thingy..

Regards,
Stefek

BlackBird · January 26, 2011, 05:52:36 PM

Seems that the Lib you are using can't handle more than one valid session. (Where session means open tab in this case.)

Argos · January 26, 2011, 05:10:24 PM

Copy/paste doesn't seem to be a big problem to me. What is more problematic is doing bulk editing to a large number of pages, for example modifying settings or user rights.

Luisehahne · January 26, 2011, 04:28:04 PM

If i wants to copy/paste from one page sections in another, first I open the sections where I want to copy from, because I don't need to save anything there. Then I open the sections I want to paste and modify. This page get an actuell Token and I can save.

If I want to save something from the copy sections, I first refresh the site, do my changes and save.

May be the solution we are searching for.

First refresh the site you want to save, then modify and save. It's a click more, but for secure I can accept it

Dietmar

Argos · January 26, 2011, 04:13:33 PM

Quote from: NorHei on January 26, 2011, 04:10:35 PM
Someone tested if its possible to use Firefox and Firefox portable at the same time ?

That's irrelevant. You still can only edit 1 page per browser...

NorHei · January 26, 2011, 04:10:35 PM

Someone tested if its possible to use Firefox and Firefox portable at the same time ?

Argos · January 26, 2011, 03:53:19 PM

Logging out before visting another site is an attack prevention for OLD versions, not for NEW versions. It does ofcourse not allow you to edit multiple pages. There is nothing to edit anymore if you're logged out...

NorHei · January 26, 2011, 03:46:05 PM

@maverik

Um es kurz zu machen wenn du bei WB eingelogt bist , bzw. warst, Und du dann auf eine andere Seite gehst die einen bestimmten Schadcode enthält (einfach nur draufgehen, nichts machen) kann der Schadcode dieser Seite deinen Admin Account übernehmen(neues Passwort), bzw. einfach einen neuen Anlegen. danach kann der eventuelle Angreifer dein komplettes WB zu seinen Zwecken nutzen oder sogar über die Dateiverwaltung eigene Scripte installieren.

Das ganze funktioniert auch mit entsprechend mit Schadcode versehenen Mails.

Gegenmaßnamen: IMMER ausloggen bevor eine Mail geöffnet wird oder du ein anderes Tab mit einer anderen Seite öffnest oder FTAN

Ein möglicher Workaround währe mehrere Browser.

Ruud · January 26, 2011, 03:26:39 PM

This was mainly about explaining the problem. Not discussing the solution.

The immediate solution for "old" websites (not just WB, but any site you can login) is to logout before doing other stuff. If there is no "trusted" connection with your website, there is no problem.

I have even seen recommendations in other CMS forums to use a separate browser for web-development.
i.e. use IE to browse the web and FF for development and management.

I cannot promise any changes in how it is handled at this time, however I can imagine this feature will evolve and become more transparent in the future.

Argos · January 26, 2011, 02:30:06 PM

Thanks for the explanation Ruud, I understand the need for such a protection now. However, I cannot believe that protection needs such a rude method. Isn't there a more elegant solution to prevent such attacks, and still be able to open and use multiple instances of the admin to work in. Is it for example not possible to create multiple tokens that all refer to the rightfull admin? Or use the same token for multiple browser windows?

I admit that I would prefer a slicker method to edit multiple pages at once, but for the moment opening multiple browser tabs/windows is the only way to do so. It is already a workaround for a shortcoming of WB, but now the workaround is gone. That's too sad.

maverik · January 26, 2011, 02:10:22 PM

Please give a german explanation why it is necessary in backend and what can happend to my site without this protection. My english is not got enough to understand the english explanation.
The only thing i know is that is very irritating and uncomfortable to work with wb at the moment.

Ruud · January 26, 2011, 01:13:13 PM

Ok let me try to explain a bit.

With the right techniques, if you would be logged in (or have been logged in before in the same browser session) as admin of your website, and you visit another website (or open an email message) with a specially crafted image/script, they could create a new admin user on the fly. Just by visiting a website or reading a mail.

To prevent this, any form (ie user creation/modification, or just page editing) should test if the request to modify the page/user was coming from the authenticated user.
So, now any request to open a form will add a random code (token) that is only valid until the form is saved or the next code is generated.
So by opening a second form in a new tab, the first token is not valid anymore.
More importantly, if a third party creates the form-data to post, there will be no valid token in the data, and the data is rejected.

this site has a good explanation.

BlackBird · January 26, 2011, 12:31:50 PM

I think it is part of the CSRF protection, but, as I said above: "Nach fest kommt ab". (analogous: "after firm comes off") This means in this case: There can be too much protection. It simply makes WB more complicated to use, maybe even unusable. (There are some other threads that go into the same direction, concerning other inventions.)

Argos · January 26, 2011, 12:18:37 PM

It's not clear to me why this measure improves "security" and "safety". Can anyone explain what is not safe about working in multiple tabs?

And I also would like to know how I "will learn to handle this"?

This "improvement" alone would be reason for me to not upgrade and use WB 2.8.2 and 2.9

BlackBird · January 26, 2011, 11:14:33 AM

Tried this with sseq-lib (with a module of mine that uses the SEQ_FTOKEN() method provided there). Seems to work. As far as I know, sseq-lib checks the browser signature only (can be disabled also) along with other data, so you can work with Tabs without any problems. Maybe the Lib you're using can be configured to be a bit less strict.

"Nach fest kommt ab!"

testör · January 26, 2011, 07:41:33 AM

Quote from: Luisehahne on January 26, 2011, 07:37:59 AM
I talk with DarkViper. The only chance is, to work with different browser.

Well, but who is working with different browser? Nearly nobody, most people won't (and shouldn't by the way). You can edit only one window in WB backend, that's a security feature and shouldn't be removed. Please don't make a good - and of course "hard" security - very weak because it first seems different to before.

Luisehahne · January 26, 2011, 07:37:59 AM

I talk with DarkViper. The only chance is, to work with different browser. The secure token is set only once. If you open a second tab with same window, token will be created as new one, and save in the first window failed.

So the secure fix works correctly and fine.

Safety first!

Dietmar

P.S. I hope i could it explain for understanding.

testör · January 26, 2011, 07:36:11 AM

No, it can't be disabled in 2.8.2 and 2.9.dev. Just look at all the revisions the last weeks and you'll see, that the SecureForm / FTAN is new security measure in 2.8.2 and 2.9 linked very deep in the core classes.
Btw: Most software has this CSRF-avoiding Tans.
If this would be disabled, it would be complete nonsense to include this security measurements. Disabling saftey would be none safety at all. You'll learn to handle this (I have to accept this, too and it's first a bit uncomfortable), I am sure.

Stefek · January 26, 2011, 05:43:16 AM

Quote from: Argos on January 26, 2011, 04:14:31 AM
And can it be disabled?

I hope it can, for I am using different windows at once as well.

Regards,
Stefek

News:

Security offense!! Access denied!

testör

NorHei

NorHei

NorHei

testör

testör