Security offense!! Access denied!

[BlackBird]

Found that the problem was caused by an older BE theme. Seems the SecureForm.php requires changes in the BE Themes, too.

[BlackBird]

I think its because some modules open stuff in a new popup window or do some other kind of transaction .

I am still having the problem with ALL forms in the BE. I tried to work with it with IE instead of FF - same problem. So in fact it IS unusable here. To be able to go on with my module tests, I had to fake all DB entries and access files. So don't say unusable is a too hard word.

[maverik]

If updatet one live site, good friend of me, without information to him that i have updatet the site because i want see what happend.
I asked me : "Do other, normal User work in the same way i do."

After some days he calls me and said that he cant save pages, Acces denied, whats happend with the site and whats to do. I installed the patch and problem was solved. Since this time he never called me again. Ok, he called for drinking a beer together  

[NorHei]

I can only make a guess.

I think its because some modules open stuff in a new popup window or do some other kind of transaction . As whithout the patch there is only one valid transaction possible the main form becomes invalid after adding an image in CKE for example.

[instantflorian]

Just for to clearify, not WB 2.8.2 RC6 ist unusable. It only will get unusable when it is patched. So it is good, that this patch will find no way to the core.

No. Objection! Same as Maverik for me. Without patch, the RC6 still throws from time to time (not always, strange enough) the "security offense" error even if only 1 tab is opened. So this version is not completely "unusable" (thats a strong word), but a bit risky to use.  With Norhei's patch, this problem disappears.

BR
_florian.

[BlackBird]

Just to clarify, same behaviour with UNPATCHED RC6. I installed the patch to fix it.

[maverik]

It only will get unusable when it is patched

 

Same behavior as bianka discribes i had too without patch. i am working on 3 live sites with rc6 with patch and working is possible for me.
without patch it wasn´t.

[ruebenwurzel]

Hello,

WB2.8.2 RC6 for the first time, and for the first time I see that it's completely unusable!

Just for to clearify, not WB 2.8.2 RC6 ist unusable. It only will get unusable when it is patched. So it is good, that this patch will find no way to the core.

Matthias

[BlackBird]

Yepp. I'm unable to create new pages.

[instantflorian]

@Blackbird: Does this still happen after you installed NorHei's patch?

[BlackBird]

I've installed the current WB2.8.2 RC6 for the first time, and for the first time I see that it's completely unusable! I have ONE Tab with WB2.8.2, but another one with my "old" 2.8.1-installation, tried to add a first page, and I'm getting the security warning instantly.

[NorHei]

Opened a seperate thread for it :

https://forum.websitebaker.org/index.php/topic,21527.0.html

[NorHei]

Version 0.3

Did some cleanup and fixed a small bug.(missing  _)

[gelöscht durch Administrator]

[NorHei]

Ok version 0.2.

Added browser fingerprint  and ip check (even if behind proxy or loadbalancer).

If you want some special configuration put this somewhere in your config.php for example

Code Select Expand

# Secret can contain anything its the base for the secret part for the hash
define ('WB_SECFORM_SECRET','whatever you like');
# shall we use fingerprinting true/false
define ('WB_SECFORM_USEFP', true);
# Timeout till the form token times out. Integer value between 0-86400 seconds (one day)     
define ('WB_SECFORM_TIMEOUT', 3600);   
# Name for the token form element only alphanumerical string allowed that starts whith a charakter
define ('WB_SECFORM_TOKENNAME','my3form3');
# how many blocks of the IP should be used in fingerprint 0=no ipcheck, possible values 0-4
defined ('WB_SECFORM_USEIP',2);


Just wanted to mention that this is code is not cleaned up at all if no useage problems occure i clean it up whith the next versions .


Btw. is anyone has an idea what this  IDKEY is exactly doing please feel free to explain.
(or maybe where i can find a decent explanation)




[gelöscht durch Administrator]

[BlackBird]

I would open a new thread when the patch is ready. I think that's more eye-catching.

[NorHei]

@Blackbird
http://en.wikipedia.org/wiki/X-Forwarded-For
Is already implemented in my fingerprint functions
Another option would be to use just the first 2 parts of your IP .

@Argos
i thought of posting a fresh version at the end of the thread as it only makes sense to moduify the old one  if the old entry is at the beginning of the thread. If you can add an entry at the start of the thread i would up date that too.

[Argos]

Please let us know when it's time to test! And is the download in your previous post the latest version all the time?

[BlackBird]

I will have problems with this kind of token, as my IP changes with every hit. (LoadBalancer)

[NorHei]

For now i added no Browser fingerprinting as should be done by the session.

Normally the session should logout and present a password field if someone changes his browser of maybe IP.
So for now you can even use different Browsers and different IP.

If you like i can add some advanved Fingerprinting that can be turened on an off, as fingerprinting sometimes can cause some troubles.

The Security part is the part i checked myself , i need some additional checking whith funktionality on different forms  so simply turn on errors and use it

[BlackBird]

Yes. In my opinion, it's a good solution, and I don't think it is less secure than the original one. I am discussing with NorHei by PN some options to improve token security a little bit, by generating a random secret and storing it outside the code. There could also be an automatic re-generation of the secret every X days, for example. Only someone with more "criminal energy" should check the solution.

[Argos]

Ah! Sounds perfect then. The technical stuff about tokens and sessions and what have you is far beyond my understanding, it's all mumbojumbo to me I'm afraid. And I must admit it doesn't interest me either. I'm a designer, not a coder. But if the result is that multiple tabs with open forms are possible (so usability is not affected), and WB is still more secured, than it sounds great!

[BlackBird]

Yes.

With the new solution, a token is generated that is signed by the server. It is not stored in the session or somewhere else, but it has a timeout.

You can work with multiple tabs, but you can't post the form with another User Agent or from another IP. (This means, you cannot open the form with one browser and post the same form with the same token with another one. But you can open as many forms as you like with the same session in different tabs.) The token is still secure. (See explanations by following the link I provided some posts up.)

[Argos]

Do you mean with "works across tabs" that you can have multiple forms opened in the tabs? Because that's the biggest problem I personally would like to get rid of.

[BlackBird]

That's a good question. I think the most important thing is that it works across tabs, for this is the reason for the patch. Next, you may try to hack the token in the form to see what happens. (There should be something like "access denied" then.) Maybe NorHei can give more examples.

[Argos]

How can we test something like this? I mean, what do we have to look for? The absence of usability issues like the FTAN ones? Or something specific?