Multiple tabs patch for 2.8.2

[NorHei]

Btw. here is the German thread:
http://www.websitebaker2.org/forum/index.php/topic,21560.0.html

This is not exactly a Module, but a core replacement.

Some pepole started complaining about a problem whith 2.8.2 RC5 and 2.8.2 SVN.
It was impossible to have multiple instances(in different browser tabs) of your backend and still be able to save that forms whitout getting a "Security Alert".

So some pepole started a discussion on how to remove the CSRF protection that was responsible for this problem. As removing a impotant security function like CSRF protection is one of the worst things you can do to a CMS, i decided to offer a replacement.

The patch is based on :
http://stackoverflow.com/questions/2695153/php-csrf-how-to-make-it-works-in-all-tabs/2695291#2695291
(Thx to BlackBird for the link)

Any forms you open will stay valid as long as you do not close it and as long as the timeout or your session(logout) won't run out. It has refined fingerprinting, a more precise IP detection and adds the possibility to configure the Class for special cases.(set timeout, fingerprinting on/off, check IP on/off... )

Just download the file and replace the original:
/framework/SecureForm.php

That should do the job. As this is a alpha version i added  the old(original) SecureForm.php to the package for easy recovery if something goes wrong.

The basic version schould be plug and play but if you need to do some additional configuration you can add the following lines to your config.php or or just uncomment the lines inside of SecureForm.php.

Code:

# Secret can contain anything its the base for the secret part for the hash
#define ('WB_SECFORM_SECRET','whatever you like');
# shall we use fingerprinting true/false
#define ('WB_SECFORM_USEFP', true);
# Timeout till the form token times out. Integer value between 0-86400 seconds (one day)    
#define ('WB_SECFORM_TIMEOUT', 3600);  
# Name for the token form element only alphanumerical string allowed that starts whith a charakter
#define ('WB_SECFORM_TOKENNAME','my3form3');
# how many blocks of the IP should be used in fingerprint 0=no ipcheck, possible values 0-4
#define ('WB_SECFORM_USEIP',2);

Whith version 0.3.1 i just added a line to avoid direct execution of this file.
Version 0.3.2 has a few small changes in how randomfunctions are used.
Version 0.3.3 was necessary as forgot to take enough care for the IDKEY system although included in this file .
Version 0.3.4  removed a PHP notice message in chase on an attack.
Version 0.3.5  removed problems whith the PHP Suhosin patch and srand() function.
Version 0.3.6  fixes a small problme whith some changes in recent SVN version (missing function)

[Argos]

Seems to work fine with WB 2.8.2.RC5 Revision 1394! That is, multible tabs/forms are no problem anymore. I cannot say anything about the security aspects, but if this means that WB is secured, yet has the old usability, than I can only say: great!

[Stefek]

Thanks Norbert.

If this works fine, than I think it should be implemented to the core?
Somebody else with the same thouthgs?

Regards,
Stefek

[NorHei]

I am pretty sure this will not go into the core, i already discussed this issue whith Viper

Thats the reason why i wrote a complete replacement instead of simply offer a small patch.
Its more easy to simply replace a file ...

[Stefek]

What is the reason of not doing it?
What he said?
As far as I see, this whole issue will be handled in a completly different manner in 2.9x

Stefek

[NorHei]

Why its rejected ... hmmm basically security issues i do not agree whith and somehow it feels slightly like 2.8.2 is a child the devs never wanted.

Considering 2.9 ,there will be a different FTAN system thats tied to purpose of a form  or maybe the Form itself (as fas as i got the point). So only a few Forms may collide(very rare) and open the same form twice is still not possible.

Form my point of view the concept i use in this patch is a very good and option to avoid al the annoying issues of the  original version while still keeping the same amount of security , but i am open for discussion.

If security turns out to be weak i will replace it whith an extended version of the original class that allows to manage multiple FTANS so you can have a configurable amount of open Tabs. But the solution from stackoverflow.com seamed to be the more clean, stable and secure one to me and it came whith absolutely no annoyance.

[NorHei]

New Version 0.3.2

http://www.websitebaker2.org/forum/index.php/topic,21527.msg144966.html#msg144966

[Stefek]

I am pretty sure this will not go into the core, i already discussed this issue whith Viper

This makes absolutley no sense to me.
Mostly becuase of the fact that the 2.8x branch is going to be officialy closed after 2.8.2

Stefek

[NorHei]

Pretty busy atm. Opening german thread  today evening.

Got a good idea whats, wrong looking after that this evening too.

cu later

[Argos]

PLEASE post summaries in English as well. There are already too many German threads about core and other important (development) issues already.

[pcwacht]

PLEASE post summaries in English as well. There are already too many German threads about core and other important (development) issues already.

Second this!

Quote from: NorHei on 13-05-2011, 12:16:30
I am pretty sure this will not go into the core, i already discussed this issue whith Viper 

This makes absolutley no sense to me.

Makes absolutly no sense to me too, unless wb29 is ready, since this is not the case, every thing wich makes wb28 better or more secure or more stable SHOULD get there!

Mostly becuase of the fact that the 2.8x branch is going to be officialy closed after 2.8.2

Say what?
Hmmm, think community has some saying in this matter or am I missing a point?

John

PS @Norhei, thanks for investigating time and efforts to make wb better, allmost forgot you

[NorHei]

PLEASE post summaries in English as well.

no Problem 

[NorHei]

Version 0.3.3 was necessary as forgot to take enough care for the IDKEY system although included in this file .


http://www.websitebaker2.org/forum/index.php/topic,21527

[Argos]

I found that the patch doesn't seem to work on another site I tested it on. This is on a different server, with probably differemt PHP settings. I will send links to info.php to NorHei.

[NorHei]

New Version fixes a useless php notice in case of an attack.

http://www.websitebaker2.org/forum/index.php/topic,21560.0.html

@Argos where are you , recieved no more feedback from you.

[NorHei]

There will be an solution for this problem in the official 2.8.2 Release. But its completely uncertain if it will be a simple Switch, my solution or maybe something completely different. 
In addition to that  may happen that this solution is delivered as a  Patch after the official Release of 2.8.2. Noone here want's to wait any longer for a secure WB Version.

This is a more or less official statement as i wrote this down right after discussing this issue on skype whith Viper and Luisehahne.

[Argos]

@Argos where are you , recieved no more feedback from you.

I'm sorry, did I miss something? I tought I had given feedback. I'll check out mails and PM, to see if I forgot something. Been really busy lately...

[NorHei]

Thx to Argos, who allowed me to access his server, i found the problem .

Kommentary from PHP Manual concerning srand():

Keep in mind that the Suhosin patch which is installed by default on many PHP-installs such as Debian and DirectAdmin completely disables the srand and mt_srand functions for encryption security reasons. To generate reproducible random numbers from a fixed seed on a Suhosin-hardened server you will need to include your own pseudorandom generator code.

The New version of the patch now takes care of this problem:
http://www.websitebaker2.org/forum/index.php/topic,21527.msg144966.html#msg144966

[BlackBird]

I am pretty sure this will not go into the core, i already discussed this issue whith Viper

This makes absolutley no sense to me.

Of course not. It simply makes no sense.

[NorHei]

New Version

There was a new function added in latest SVN. This patch schould fix the problem where the program is looking for that missing function.

Please test.


http://www.websitebaker2.org/forum/index.php/topic,21527.0.html

[NorHei]

Ok, the Patch made it into the official Release of 2.8.2 so no patching needed anymore.

I wanna say thank you to all who helped whith testing and asking the Core Team to add the Patch.

Special Thanks go to Werner who integrated it into the core , and to Dietmar and Michael as they produced the admintool to switch between both versions.

This thread is now the Official support thread , as i continue to maintain the patch as long as its needed . (Whith 2.9 there will be no more need for it.)

[Stefek]

Thanks to all contributors... Thanks Norbert.
I still hate FTANs, so this Patch Feature comes in really handy.

Regards,
Stefek

[NorHei]

Please dont hate em its a necessary feature to avoid CSRF attacks. And the Patch only uses a different way to generate em.