BUG: Security problem with user authentication in CCTW
7 views
Skip to first unread message
Kashgarinn
Jan 26, 2011, 5:23:58 AM1/26/11
to ccTiddly
There's a problem with how user authentication is transferred from
client to server in CCTW. Right now it's done via the httpreq()
function in function: ccTiddlyAdaptor.prototype.login =
function(context,userParams,callback)
- This means that access logs on the web server contain not only the
request but the user/password in plaintext, anyone with access to
those logs will have user/pass of everyone who accesses the wiki.
a normal HTTP request form which sends a POST submission only shows
the POST, and not the parameter information in the logs.
I'm trying to rebuild the form submission, goes slowly...
K.
client to server in CCTW. Right now it's done via the httpreq()
function in function: ccTiddlyAdaptor.prototype.login =
function(context,userParams,callback)
- This means that access logs on the web server contain not only the
request but the user/password in plaintext, anyone with access to
those logs will have user/pass of everyone who accesses the wiki.
a normal HTTP request form which sends a POST submission only shows
the POST, and not the parameter information in the logs.
I'm trying to rebuild the form submission, goes slowly...
K.
geert Geurts
Jan 26, 2011, 6:38:33 AM1/26/11
to ccti...@googlegroups.com
Hi Kashgarinn,
Which version are you using?
I checked it and the accesslogs of my CCTW(1.9) says cctuse=geert&cctpass=(40# HASH)
Greetings,
Geert
2011/1/26 Kashgarinn <stei...@gmail.com>
--
You received this message because you are subscribed to the Google Groups "ccTiddly" group.
To post to this group, send email to ccti...@googlegroups.com.
To unsubscribe from this group, send email to cctiddly+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cctiddly?hl=en.
Kashgarinn
Jan 26, 2011, 7:07:25 AM1/26/11
to ccTiddly
The fact that you can see usernames and passwords in the access logs,
even sha1 encoded is a problem. you should normally just see a POST
call with no information on the parameters as they should be in the
header.
Still trying to find some solution.. not working properly, I've
disabled my wiki while it's like this.
K.
even sha1 encoded is a problem. you should normally just see a POST
call with no information on the parameters as they should be in the
header.
Still trying to find some solution.. not working properly, I've
disabled my wiki while it's like this.
K.
geert Geurts
Jan 26, 2011, 7:37:45 AM1/26/11
to ccti...@googlegroups.com
ok...
then, as a temporary hack, you can also takeout the %r directive of the LogFormat statement of your accesslog.
Then no username or password is beeing logged and you can keep your wiki online.
Greetings,
Geert
then, as a temporary hack, you can also takeout the %r directive of the LogFormat statement of your accesslog.
Then no username or password is beeing logged and you can keep your wiki online.
Greetings,
Geert
2011/1/26 Kashgarinn <stei...@gmail.com>
The fact that you can see usernames and passwords in the access logs,
K.
Kashgarinn
Jan 26, 2011, 9:24:21 AM1/26/11
to ccTiddly
That's a horrible "solution" even though it's a quick-fix, because you
don't get information what files were being accessed, which is bad if
you are hacked and need to check what happened.
But this quick-fix means I can open the wiki again at least locally.
Still trying to figure this out..
K.
don't get information what files were being accessed, which is bad if
you are hacked and need to check what happened.
But this quick-fix means I can open the wiki again at least locally.
Still trying to figure this out..
K.
geert Geurts
Jan 26, 2011, 10:03:31 AM1/26/11
to ccti...@googlegroups.com
horrible solution, temporary hack.... a poweroff also solves your problem! ;)
at least you can still use your wiki...
comming to think of it... with using apaches log to pipe functionality you could create a more elegant hack I think...
Greetings,
Geert
at least you can still use your wiki...
comming to think of it... with using apaches log to pipe functionality you could create a more elegant hack I think...
Greetings,
Geert
2011/1/26 Kashgarinn <stei...@gmail.com>
That's a horrible "solution" even though it's a quick-fix, because you
K.
Kashgarinn
Jan 26, 2011, 10:26:40 AM1/26/11
to ccTiddly
hehe, yeah that might have come off as somekind of a criticism, but it
wasn't, just a description how it looks to my mind, if I had to look
at it as a permanent solution.
I don't think I want to use somekind of a log hack, as it's not the
access logs which is the problem, the problem is that the data isn't
being sent in the header.. and I'm still trying to discover why that
is.
K.
wasn't, just a description how it looks to my mind, if I had to look
at it as a permanent solution.
I don't think I want to use somekind of a log hack, as it's not the
access logs which is the problem, the problem is that the data isn't
being sent in the header.. and I'm still trying to discover why that
is.
K.
geert Geurts
Jan 26, 2011, 10:35:54 AM1/26/11
to ccti...@googlegroups.com
Ok... well can't help you with data which is supposed to be in headers... no knowledge about that...
Succes!
Greetings,
Geert
Succes!
Greetings,
Geert
2011/1/26 Kashgarinn <stei...@gmail.com>
hehe, yeah that might have come off as somekind of a criticism, but it
K.
Reply all
Reply to author
Forward
0 new messages