Previous Thread
Next Thread
Print Thread
Rate Thread
#192214 07/30/2002 3:31 PM
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
Is it possible to use the UBB's ability to track IP's and encrypt that info in the cookie so that a hijacked cookie is worthless? Of course the password would have to be encrypted too. I realize that it would force users to re-login if the IP changes but even if it was a Class C or B it would allow modem users or AOL proxied users to stay logged in and still prevent nearly all cookie hijack problems.

I know that the Infopop guys go to great lengths to filter HTML and prevent exploits but face it, we're only one step ahead of the people that thrive on the enjoyment they get from malicious behavior and tearing down communitys.

Sponsored Links
#192215 07/31/2002 9:52 AM
Joined: Apr 2002
Posts: 111
PF Offline
Member
Member
Offline
Joined: Apr 2002
Posts: 111
Maybe a better idea would be allow users to restrict access to their accounts to specific IP addresses.

If someone steals the cookie, then they wouldn't be able to login.
That shouldn't be too hard, just changes to verify_id_num and verify_id_num2 ? (along with an interface of course) smile

This means those on static IPs can be sure that no one can access their account, except anyone that gets on their machine wink

#192216 07/31/2002 9:28 PM
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
I have a friend that is involved in another BB and is using my idea with MD5 encrypted passwords and he is also encrypting the first two octets of the IP in the cookie. So far it's going well.

Of course the trick is making sure they can't just decypher which part is which and paste ofrt of their cookie into yours.

#192217 08/01/2002 8:02 AM
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
deutscher moderator / v5 specialist
Offline
Joined: Dec 2000
Posts: 730
on my board i use MD5 to encrypted the PWD. i changes also the function "lost PWD" because in the profile is the PWD also encrypted.

i think it's a good idea to encrypt the first part of the IP and store it encrypted in the cookie.

#192218 08/01/2002 8:17 PM
Joined: Dec 2000
Posts: 371
Member
Member
Offline
Joined: Dec 2000
Posts: 371
Joking-down i would appriciate it if you can tell me how you used MD5 because our forum is hacked twice in the last months by people that use scripts wich can catch cookies.

Sponsored Links
#192219 08/02/2002 1:46 PM
Joined: Nov 2000
Posts: 68
Member
Member
Offline
Joined: Nov 2000
Posts: 68
Hi T, I've been snooping around this place looking for encryption routines and saw this thread.

If ya wanna work with me on this cookie problem, ICQ me. I have a few solutions brewing.

#192220 08/03/2002 11:20 AM
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
deutscher moderator / v5 specialist
Offline
Joined: Dec 2000
Posts: 730
with this code you can protect the PWD in the cookie:
Code
cp.cgi
======

find:
----

use strict;
use Fcntl ':flock';
use UBBCGI qw(:cgi); # CGIPath/Modules/UBBCGI.pm
use UBBCGI::Carp qw(fatalsToBrowser set_message); # CGIPath/Modules/UBBCGI/Carp.pm


add after:
---------

##
# use MD5
##

use Digest::MD5 qw (md5 md5_hex md5_base64);



find:
----

&CheckPermission_CP;
my $cookie = cookie(
-name => "ubbadmin$vars_config{Cookie_Number}",
-value => [$username, $password, $status, $pn, $admin_num],


replace with:
------------

&CheckPermission_CP;
my $cookie = cookie(
-name => "ubbadmin$vars_config{Cookie_Number}",
-value => [$username, md5_hex(lc($password)), $status, $pn, $admin_num],



cp_lib.cgi
==========

find:
----

my @profile = &OpenProfile($profile_stuff[2]);
chomp($profile[1]);
chomp($profile[8]);
chomp($profile[15]);
$lcpw = lc($password);
$lcprofpw = lc($profile[1]);

if ($lcpw ne "$lcprofpw") {



replace with:
------------

my @profile = &OpenProfile($profile_stuff[2]);
chomp($profile[1]);
chomp($profile[8]);
chomp($profile[15]);
$lcpw = lc($password);
$lcprofpw = lc($profile[1]);

if (length($lcprofpw) < 32) {
$lcprofpw = md5_hex($lcprofpw);
}

if ($lcpw ne "$lcprofpw") {




ubb_lib.cgi
===========

find every:
----------

#lowercase everything
$lcpw = lc($profile[1]);
$lc_un = lc($profile[0]);
chomp($lc_pw_in = lc($pw)); # jic
chomp($lc_un_in = lc($un));



and add AFTER:
-------------

if (length($lcpw) < 32) {
$lcpw = md5_hex ($lcpw);
}




ubb_lib_misc.cgi
================

find:
----

-value => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],


replace with:
------------

-value => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],




ubb_new_reply.cgi, ubb_new_topic.cgi
====================================

find:
----

$cookie4 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
-path => '/',
-expires => '+2y'
);



replace with:
------------

$cookie4 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
-path => '/',
-expires => '+2y'
);




ubb_profile.cgi
===============

find:
----

$cookie2 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$user_profile[0], $new_password, $public_name, $in{DaysPrune}, $in{u}, $pntf_hidden, $avhide],
-path => '/',
-expires => '+2y'
);



replace with:
------------

$cookie2 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$user_profile[0], md5_hex(lc($new_password)), $public_name, $in{DaysPrune}, $in{u}, $pntf_hidden, $avhide],
-path => '/',
-expires => '+2y'
);




ultimate.cgi
============

find:
----

use strict;
use Fcntl ':flock';
use UBBCGI qw(:cgi); # CGIPath/Modules/UBBCGI.pm
use UBBCGI::Carp qw(fatalsToBrowser set_message); # CGIPath/Modules/UBBCGI/Carp.pm


add after:
---------

##
# use MD5
##

use Digest::MD5 qw (md5 md5_hex md5_base64);



find:
----

chomp(my $writeadmin = (&OpenProfile($profile_number))[4]);
chomp(my $this_un = (&OpenProfile($profile_number))[0]);
chomp(my $this_pw = (&OpenProfile($profile_number))[1]);


replaye with:
------------

chomp(my $writeadmin = (&OpenProfile($profile_number))[4]);
chomp(my $this_un = (&OpenProfile($profile_number))[0]);
chomp(my $this_pw = (&OpenProfile($profile_number))[1]);

$this_pw = md5_hex (lc($this_pw));



find:
----

my $cookie = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_un, $this_pw, $pubname, $dp, $profile_number, $hidden, $noav],
-path => '/',
-expires => '+2y'
);
$username = $in{username};


replace with:
------------

my $cookie = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_un, md5_hex(lc($this_pw)), $pubname, $dp, $profile_number, $hidden, $noav],
-path => '/',
-expires => '+2y'
);
$username = $in{username};



find:
----

# reconfirm user data- in case profile details were changed
if ($username ne '') {
my @this_profile = &verify_id_num_2($username, $password, $user_number);
chomp($this_profile[1]);
chomp($this_profile[0]);
chomp($this_profile[21]);
chomp($this_profile[15]);
chomp($this_profile[35]);
if ($this_profile[15] eq '') { $this_profile[15] = "$this_profile[0]"; }
$cookie3 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_profile[0], $this_profile[1], $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
-path => '/',
-expires => '+2y'
);
}


replace with:
------------

# reconfirm user data- in case profile details were changed
if ($username ne '') {
my @this_profile = &verify_id_num_2($username, $password, $user_number);
chomp($this_profile[1]);
chomp($this_profile[0]);
chomp($this_profile[21]);
chomp($this_profile[15]);
chomp($this_profile[35]);
if ($this_profile[15] eq '') { $this_profile[15] = "$this_profile[0]"; }
$cookie3 = cookie(
-name => "ubber$vars_config{Cookie_Number}",
-value => [$this_profile[0], md5_hex(lc($this_profile[1])), $this_profile[15], $this_profile[21], $user_number, $this_profile[35], (split(/|/, $this_profile[38]))[2]],
-path => '/',
-expires => '+2y'
);
}
i tested the code only on my local system...

#192221 08/03/2002 1:32 PM
Joined: Jun 2001
Posts: 729
Coder
Coder
Offline
Joined: Jun 2001
Posts: 729
Was going to test on 6.1.0.4 system but in ubb_lib.cgi your section for "find every:" the code does not exist. Checked your site in your signature and see it is a 5.47e system.

What version was this tested on?

#192222 08/03/2002 3:25 PM
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
deutscher moderator / v5 specialist
Offline
Joined: Dec 2000
Posts: 730
Quote
quote:
Originally posted by 1QuickSI:
What version was this tested on?
i installed on my local system the version 6.3.1

for V6.1.0x:
code:
[qb]
Code
search:
------

# check password
if ($lcpw ne "$lc_pw_in") {
&StandardHTML("$vars_wordlets_err{invalid_password}");
}


add before:
----------

if (length($lcpw) < 32) {
$lcpw = md5_hex ($lcpw);
}
[/qb]

#192223 08/03/2002 6:46 PM
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
I'm getting this error on my 6.3.1 test board...

Can't locate auto/Digest/MD5/md5_hex.al in @INC etc. etc.

I went to CPAN for the latest MD5 module and still no go.

Sponsored Links
#192224 08/03/2002 6:52 PM
Joined: Dec 2000
Posts: 371
Member
Member
Offline
Joined: Dec 2000
Posts: 371
Tnx Joking-down. I think we have to install the perl version of MD5 to run? If so, where and how? If this works i make a statue for you in the hall of fame. smile

#192225 08/03/2002 7:22 PM
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
You can't just copy MD5.pm - you need to ask your hosting provider to install the Digest::MD5 module.


UBB.classic: Love it or hate it, it was mine.
#192226 08/03/2002 7:23 PM
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
Charles, does this look valid to you? Is this something that will help?

#192227 08/03/2002 8:18 PM
Joined: Dec 2000
Posts: 47
Member
Member
Offline
Joined: Dec 2000
Posts: 47
Good idea. ezboard actually does it with High Security, as far as I am aware of. Basically, the session cookie has embedded IP and thus can only be used from that IP. All other users are treated as not logged in, even though they have a cookie.

#192228 08/03/2002 10:06 PM
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
It's not the method that we'll be using when we go MD5, but it looks like a solution, yes.

(The lost password issue has been a major support & confusion problem - generating a new password every time the user forgets is a real, real pain. We will not be encrypting the password on disk, but it will be MD5ed in the cookie. .. and if you're worried about the member files being read, then you seriously need to look at the security on your server.)


UBB.classic: Love it or hate it, it was mine.
#192229 08/03/2002 10:32 PM
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
I must have been confused, I thought this was only for the cookie. I have my members folder outside of the web folder so it's very secure.

#192230 08/04/2002 8:16 AM
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
deutscher moderator / v5 specialist
Offline
Joined: Dec 2000
Posts: 730
this mod is only for the cookies...

#192231 08/04/2002 10:37 AM
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
Edit: my host says that they can't do this for me till the next upgrade of Perl. Is there anything I can do to get this working. If Charles is going to be able to get the passwords MD5'd in the cookies in 6.4 then I sure that they won't be making us ask our hosting companys to install modules for us.

#192232 08/04/2002 12:34 PM
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
There is a pure-Perl MD5 module that we can ship, but this hack isn't made for it.

And your host lies. Horribly. Very badly.


UBB.classic: Love it or hate it, it was mine.
#192233 08/04/2002 2:27 PM
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
looks like I have some investigating to do. Thanks

Edit: I run perldiver and it shows that I have Digest::MD5 and dynaloader installed. The error I'm getting says that it can't locate in the path auto/Digest/MD5.

How can I tell it to look in Digest/MD5 instead of auto/Digest/MD5?

#192234 08/04/2002 4:53 PM
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
Admin Emeritus
Joined: Jan 2000
Posts: 5,073
Large modules are often split up into smaller pieces to make them easier to load. Your host's Digest::MD5 has been autosplit, which is why it's looking in auto/.

This isn't something you can fix... Digest::MD5 has to be compiled on the server.


UBB.classic: Love it or hate it, it was mine.
#192235 08/04/2002 5:50 PM
Joined: Jun 2001
Posts: 2,849
Spotlight Winner
Spotlight Winner
Offline
Joined: Jun 2001
Posts: 2,849
Thanks Charles, I've passed this info on. Maybe Joking-Down can modify this a bit to accept the pure Perl module you were talking about for 6.4?

#192236 08/10/2002 8:46 AM
Joined: Dec 2000
Posts: 730
deutscher moderator / v5 specialist
deutscher moderator / v5 specialist
Offline
Joined: Dec 2000
Posts: 730
when you have no Digest::MD5 you can use the Module Digest::Perl::MD5 instead.

i have a small error in the code:

Code
remove in ultimatebb.cgi the line:
---------------------------------
$this_pw = md5_hex (lc($this_pw));



change all:
----------
use Digest::MD5 qw (md5 md5_hex md5_base64);

to:
--
eval {
require Digest::MD5;
import Digest::MD5 'md5_hex';
};

if ($@) {
require Modules::Digest::Perl::MD5;
import Modules::Digest::Perl::MD5 'md5_hex';
}


Link Copied to Clipboard
Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with and recommend the following Web Hosts:
Stable Host
bluehost
InterServer
Visit us on Facebook
Member Spotlight
isaac
isaac
California
Posts: 1,157
Joined: July 2001
Forum Statistics
Forums63
Topics37,573
Posts293,925
Members13,849
Most Online5,166
Sep 15th, 2019
Today's Statistics
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
Top Posters
AllenAyres 21,079
JoshPet 10,369
LK 7,394
Lord Dexter 6,708
Gizmo 5,833
Greg Hard 4,625
Top Posters(30 Days)
Top Likes Received
isaac 82
Gizmo 20
Brett 7
WebGuy 2
Top Likes Received (30 Days)
None yet
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2024 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20221218)