Bugfix: User Authentication security problem
18 views
Skip to first unread message
Kashgarinn
Jan 27, 2011, 5:22:04 AM1/27/11
to ccTiddly
Hi there, found a bug I was able to fix:
Problem: Current login strategy posts the user/password into the URI,
like this: %0/handle/loginFile.php?cctuser=%1&cctpass=%2'+uriParams
- This means all your usernames and passwords are inherently kept in
any logs on the webserver, this means you open up an unnecessary
security hole if anyone is able to access the logs.
Solution: change 2 lines in the wiki code:
Change the code in file: \tiddlers\plugins\001_ccTiddlyAdaptor.js
- Change the code in function: ccTiddlyAdaptor.prototype.login
|| Change the line: var uriTemplate = '%0/handle/loginFile.php?cctuser=
%1&cctpass=%2'+uriParams;
|| into: var uriTemplate = '%0/handle/loginFile.php?'+uriParams;
|| Change the line: var req =
httpReq('POST',uri,ccTiddlyAdaptor.loginCallback,context);
|| into: var req =
httpReq('POST',uri,ccTiddlyAdaptor.loginCallback,context,null,"cctuser="+context.username
+"&cctpass="+context.password);
Regards,
K.
Problem: Current login strategy posts the user/password into the URI,
like this: %0/handle/loginFile.php?cctuser=%1&cctpass=%2'+uriParams
- This means all your usernames and passwords are inherently kept in
any logs on the webserver, this means you open up an unnecessary
security hole if anyone is able to access the logs.
Solution: change 2 lines in the wiki code:
Change the code in file: \tiddlers\plugins\001_ccTiddlyAdaptor.js
- Change the code in function: ccTiddlyAdaptor.prototype.login
|| Change the line: var uriTemplate = '%0/handle/loginFile.php?cctuser=
%1&cctpass=%2'+uriParams;
|| into: var uriTemplate = '%0/handle/loginFile.php?'+uriParams;
|| Change the line: var req =
httpReq('POST',uri,ccTiddlyAdaptor.loginCallback,context);
|| into: var req =
httpReq('POST',uri,ccTiddlyAdaptor.loginCallback,context,null,"cctuser="+context.username
+"&cctpass="+context.password);
Regards,
K.
Reply all
Reply to author
Forward
0 new messages