2.8.2 release projection?

[rabsaul]

I've been waiting quite anxiously for the release of 2.8.2 ever since the security announcement here: http://www.websitebaker2.org/forum/index.php/topic,20318.0.html ... any word on when a stable and secure version of 2.8.2 will be available?

Thanks!

[crnogorac081]

Hi,

based on the same post above , I was looking for various solutions to protect the wb and my current and modules I am currently working on from CRFS requests.

since it is announced that solution will be included in 2.8.2, could you reveal or point to the code for us less patient..

If it is not possible, could you please check this: http://crisp.tweakblogs.net/blog/3928/csrf-protection-with-self-validating-tokens.html and tell me is this good and safe solution as I am not experienced enough to judge myself..

cheers

[testör]

The latest 2.8.2 RC3 http://www.websitebaker2.org/en/download/latest-version.php has fixed nearly all known security flaws, except a "complete" CSRF fix. But it's only a matter of weeks when there's a stable 2.8.2 - a (unfortunately German only) blog about securing 2.8.2 is here: http://wbdemo.heysoft.de/pages/de/wb-core-entwicklung.php

[BlackBird]

As a workaround for older WB releases, you may try sseq-lib.

http://www.erich-kachel.de/?page_id=133

This can secure WB with only two includes. ("Global" index.php an admin/index.php)

To be a bit clearer (as some people don't understand this, see below): This will help to improve the security of older WB installations without having to change each and every file and/or module. With some more work, you can improve the security even more.

See also: http://www.erich-kachel.de/?p=612

[testör]

As a workaround for older WB releases, you may try sseq-lib.

http://www.erich-kachel.de/?page_id=133

This can secure WB with only two includes. ("Global" index.php an admin/index.php)

No - not if you want to avoid CSRF. You have to include it in any form: http://www.erich-kachel.de/?p=669
In fact, it's the same as ftan (/include/class.secureform.php), that's included in 2.8.2 RCs.

[BlackBird]

Read it again. And again. And if you think you have understood it - read again. Maybe, after some reading, you will ... no, you won't. Forget it.

[testör]

Read it again. And again. And if you think you have understood it - read again. Maybe, after some reading, you will ... no, you won't. Forget it.

You haven't understood what CSRF means, have you? It's impossible to secure an installation with two includes - and even Erich Kachel says it many times. But perhaps everybody that secures his/her installations against CSRF has failed and doing all the wrong way.

[BlackBird]

No, you didn't understand. Thank you for confirming.

[testör]

No, you didn't understand. Thank you for confirming.

Ok. Then let me know, how "Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions" from http://shiflett.org/articles/cross-site-request-forgeries is possible without touching the "form" HTML code.
Another quote from http://www.erich-kachel.de/?p=730, German only "Die Sicherheitsbiblioth ek SSEQ-LIB stellt zum Schutz gegen CSRF Tokens bereit, die in Links und Formulare eingebaut und bei der Ausführung überprüft werden."
Then compare it with http://project.websitebaker2.org/projects/websitebaker/repository/entry/branches/2.8.x/wb/framework/SecureForm.php (2.8.2 branch!).

[Hans Toolbox]

Yep, und deshalb wird bei meinen Anwendern SSEQ-LIB nur bei bekannt unsicheren Modulen eingesetzt, bis zur Beseitigung der Fehler und anderer Unzulänglichkeiten.
1.) müssen die Fehler bekannt sein, um diese "maskieren" zu können (SEQ_SANITIZE)
2.) ist die Verwendung der SSEQ-LIB tatsächlich als Übergangslösung bis zur Beseitigung des "eigentlichen" Problems zu sehen, also wenn es z.B. "unersetzliche" Module im laufenden Betrieb betrifft.

Translate

[BlackBird]

Genau, Hans, Du hast es erfaßt. Michael schnallt es nicht.

[testör]

Genau, Hans, Du hast es erfaßt. Michael schnallt es nicht.

I haven't anything against Hans post but it's offtopic. The thread is called "2.8.2 release projection" and linked to the CSRF announcement and not "what can I do against a module that I think could be dangerous". I'm quitting writing in that topic, it's helpless.

[crnogorac081]

Hi all,

I didnt expect to flame a big discussion here. I reviewed framework/SecureForm.php file. I see that there is a lot hard work there, and I just want an opinion weather to use FTAN or to use the script posted on link in second post from top, since I can notice that script is a bit more complex (tokens interacts with database)

Again to underline that I only want help and opinion, and not fight

And please, write in english so I can follow.

cheers

[BlackBird]

I understand your question. Just wanted to state that there _is_ a way to improve the security of older WB versions while waiting for 2.8.2. Don't know why Michael doesn't get the point.

By the way, sseq-lib uses tokens, too. That's why I mentioned it.

[crnogorac081]

Yes, but sseq-lib contains a lot of files, and this is only one file

And is it better that tokens interact with DB or not ? I would really like a professional opinion from all (and not like this is my script and because of that it is the best..) so we can make WB less vulnerable to potential attacks

cheers

[testör]

@Ivan:

Yes, but sseq-lib contains a lot of files, and this is only one file

And is it better that tokens interact with DB or not ? I would really like a professional opinion from all (and not like this is my script and because of that it is the best..) so we can make WB less vulnerable to potential attacks

cheers

Just use SecureForm.php - you can use it with any WB-Version you like. Just add / adjust

Code:

require_once(WB_PATH."/framework/SecureForm.php");
class wb extends SecureForm
{

in /framework/class.wb.php and copy SecureForm.php in framework (or wherever you like, you can even make a module if adjusting require_once).
You don't need some external script that does the very same (and pretends to do something more) but much more complicated.

WebsiteBaker 2.8.2 is quite secure, but the biggest security flaw is always the server. Just secure your server, then WB is - in most cases - quite safe.
The next thing is - just think. WB is no community portal, you shouldn't give hunderts of people access (any access) you don't know personally or that are trustable. 
There is no "100% safety" - forget this. 2.8.2 is in RC3 - from most cases - quite safe, will be (perhaps) a little bit more safe. You don't need more safety, because as always - more security, more restrictions.
So you don't need (apart securing your server, e.g. use a "good" hoster) external scripts. In fact, there are no external scripts, you can install and you are safe - in any cases you have to adjust them. "A little bit more security" they can give you perhaps - but that's not necessary, because WB has quite much security built-in, even more in 2.8.2.

[crnogorac081]

.. WB is no community portal, you shouldn't give hunderts of people access (any access) you don't know personally or that are trustable. ..

this is exactly what I am working on After few years working with wb and understanding its potential, it gives me good enough basis for a community portal

[crnogorac081]

Could someone please post an example how FTAN works

[DarkViper]

It's really easy to use:

Code: (html-form)

<form action="save.php" methode="post">
<?php echo $wb->getFTAN(); ?>
<input type="hidden" name="page_id" value="<?php $wb->getIDKEY($page_id); ?>">
all other form elements
</form>

will produce:

Code:

<form action="save.php">
    <input type="hidden" name="f02047c08ab94f9a" value="7c2ec951d34f2f98">
    <input type="hidden" name="page_id" value="c08ab94fd34f2f98">

... all other form elements

</form>

Code: (save.php)

<?php

if($wb->checkFTAN()) {

    $page_id = $wb->getIDKEY('page_id');
    if( $page_id != 0 ) {
... do save record
    }else {
... ...  check failed, insert error handler
    }
}else {
...  check failed, insert error handler
}
?>

more Info about IDKEY can be found in inline docu  of class SecureForm... and a bit later in the Dev-Manual(2.9.x)

[crnogorac081]

I tested it and it will not work if I have multiple forms on one page With one form on page it looks ok..

did anyone experienced this before ?


EDIT: maybe this could be solved by creating a FTAN table in DB, and storing FTANs there?

cheers

[DarkViper]

FTAN: one only can exist at the same time. This doesn't matter because you can send one form only at once.
Each furter call of getFTAN will replace the FTAN generated on previouse call.

IDKEY: you can create as much as ever you want. It can hide INTEGER or STRING or komplete ARRAYS as well. But NO objects.
The default is:  check $_POST for INTEGER and return 0 on error.
you can also set to:   check $_GET for a STRING and return 'f*** me' on error.  
the call for that is:  $result = checkIDKEY( 'field_name', 'f***_me', 'GET' );

Both FTAN and IDKEY can be checked only once. After check it will be destroyed immediately to prevent from browser-reload and so on.

If you have more then one form a page then use following :

Code:

<?php 
$ftan = $wb->getFTAN();
?>
<form action="save0.php" methode="post">
<?php echo $ftan; ?>
<input type="hidden" name="page_id" value="<?php $wb->getIDKEY($page_id); ?>">
all other form elements
</form>

<form action="save1.php" methode="post">
<?php echo $ftan; ?>
<input type="hidden" name="user_id" value="<?php $wb->getIDKEY($user_id); ?>">
all other form elements
</form>

(it's more easy to handle by a template engine. one placeholder is required only.)

Code: (save0.php)

<?php

if($wb->checkFTAN()) {

    $page_id = $wb->getIDKEY('page_id');
    if( $page_id != 0 ) {
... do save record
    }else {
... ...  check failed, insert error handler
    }
}else {
...  check failed, insert error handler
}
// at end you can clear the IDKEY-buffer
$wb->clearIDKEY();
?>

Code: (save1.php)

<?php

if($wb->checkFTAN()) {

    $user_id = $wb->getIDKEY('user_id');
    if( $user_id != 0 ) {
... do save record
    }else {
... ...  check failed, insert error handler
    }
}else {
...  check failed, insert error handler
}
?>

In some of the recoded backend modules(2.9.0) you can see how we handle that.

hope it helps

[crnogorac081]

Thanks mate,

I am having a bit complex issue here, as I have multiple forms, which are submited to SELF page:

Code:

form 1
<form action="'.$_SERVER['PHP_SELF'].'" methode="post">
<?php echo $ftan; ?>
<input type="hidden" name="page_id" value="<?php $wb->getIDKEY($page_id); ?>">
all other form elements
<input type="hidden" name="type" value="upload" />
</form>

form 2
<form action="'.$_SERVER['PHP_SELF'].'" methode="post">
<?php echo $ftan; ?>
<input type="hidden" name="page_id" value="<?php $wb->getIDKEY($page_id); ?>">
all other form elements
<input type="hidden" name="type" value="personal" />
</form>

form 3
<form action="'.$_SERVER['PHP_SELF'].'" methode="post">
<?php echo $ftan; ?>
<input type="hidden" name="page_id" value="<?php $wb->getIDKEY($page_id); ?>">
all other form elements
<input type="hidden" name="type" value="business" />
</form>

So I have a switch and based on type(upload, personal, business) I choose what to save.

Now, I have another question, in  $wb->getIDKEY($page_id) can I use $wb->getIDKEY(rand(1,1000)) and what if I have 2 same values for different fields like:

Code:

<input type="hidden" name="id-1" value="<?php $wb->getIDKEY('1'); ?>">
and
<input type="hidden" name="id-2" value="<?php $wb->getIDKEY('1'); ?>">

will it work without problem? And is there a limitation how much digits number can have ?

cheers

[DarkViper]

thats no problem. The original value will be untouched saved on the server. The IDKEY is like a varname only. It is not possible to get two identical IDKEYs.
How many you can store? A lot.. 
The Keys are stored as a 2dimensional, dynamic array into the session

[crnogorac081]

I just broke my brain before I figured out that in this code

Code:

<?php

if($wb->checkFTAN()) {

    $user_id = $wb->getIDKEY('user_id');
    if( $user_id != 0 ) {
... do save record
    }else {
... ...  check failed, insert error handler
    }
}else {
...  check failed, insert error handler
}
?>

I never passed $wb->checkFTAN() because I had <?php echo $ftan; ?> called in two forms

[DarkViper]

nobody is perfect... and it's late night... 

i guess you forgot

<?php
$ftan = $wb->getFTAN();
?>

before you defined the forms...