Now Viewing: Password
Keep it civil, do not flame or bait other users. If you notice anything illegal or inappropriate being discussed, contact an administrator or moderator.
Quote
Posted on: 02/11/12 12:00AM
I guess as Gelbooru has gotten large... those problems are becoming a reality.
In fact, I guess they've already happened a few times here.
I just never thought of Gelbooru as being a glorious conquest. Still, occasionally people come here claiming to be launching anon raids. Even if it is just one person most of the time.
As if anonymous actually raids anymore.
In fact, I guess they've already happened a few times here.
I just never thought of Gelbooru as being a glorious conquest. Still, occasionally people come here claiming to be launching anon raids. Even if it is just one person most of the time.
As if anonymous actually raids anymore.
Posted on: 02/13/12 12:02PM
Would help if cookies were also marked httponly, to help guard against cookie hijacking via XSS.
Posted on: 02/13/12 08:18PM
No matter the security needs of the site, storing a user's hashed password as a cookie is a terrible idea. Session keys are incredibly easy to code: just make a unique key with md5(time()), store it in the db & as a cookie, and match the cookie to the db on every request. For bonus points, also store a session timeout in the db that's the same as the cookie's expire time, to avoid hijacking of old sessions. There's really no reason not to take basic security measures like this.
Posted on: 02/13/12 09:07PM
Even with huge security flaws like this that need to be patched, the next version of gelbooru is still a way's off.
Posted on: 02/16/12 10:21AM
Dolljoints said:
A troll might consider it worth doing, if they could do it easily. People might not appreciate being perma-banned and having to come back with a different identity. Mod accounts are worth more internet points, and there are at least 14 of those to choose from, including mods in training. Do any of them use Gelbooru from their mobile phone?
Gelbooru uses two cookies for authentication - user_id and pass_hash. The password hash is the same every time you log in, and the cookies are sent as plaintext to the server on every HTTP request you make while logged in, so all an attacker needs to do is sniff one request and they can impersonate you to the server until you change your password, which many people can't do because they didn't enter an email.
The server could instead assign a random session password and save that until the user logged out or logged in again; then stolen cookies would at least only work for the duration of the session.
Better yet, the server could use https, which people have found to be cost-effective on modern computer hardware (e.g. www.imperialviolet.org/2010/06/25/overclocking-ssl.html ) and which would also prevent your ISP from snooping on your Gelbooru surfing. Mod and admin sessions at least should be forced to https, with the secure attribute set on the cookie so it won't be sent via unsecured http.
[edit] Bonus link: blogs.wsj.com/digits/2010...0-gawker-media-passwords/
A troll might consider it worth doing, if they could do it easily. People might not appreciate being perma-banned and having to come back with a different identity. Mod accounts are worth more internet points, and there are at least 14 of those to choose from, including mods in training. Do any of them use Gelbooru from their mobile phone?
Gelbooru uses two cookies for authentication - user_id and pass_hash. The password hash is the same every time you log in, and the cookies are sent as plaintext to the server on every HTTP request you make while logged in, so all an attacker needs to do is sniff one request and they can impersonate you to the server until you change your password, which many people can't do because they didn't enter an email.
The server could instead assign a random session password and save that until the user logged out or logged in again; then stolen cookies would at least only work for the duration of the session.
Better yet, the server could use https, which people have found to be cost-effective on modern computer hardware (e.g. www.imperialviolet.org/2010/06/25/overclocking-ssl.html ) and which would also prevent your ISP from snooping on your Gelbooru surfing. Mod and admin sessions at least should be forced to https, with the secure attribute set on the cookie so it won't be sent via unsecured http.
[edit] Bonus link: blogs.wsj.com/digits/2010...0-gawker-media-passwords/
Thank you so much for explaining everything so well. Now all trolls who might not have known how to do it will definitely do it! I'm sure all users who have their accounts attacked now will be oh so grateful for brilliant Professor Dumbjoints!
Posted on: 02/16/12 10:34AM
Thank you so much for explaining everything so well. Now all trolls who might not have known how to do it will definitely do it! I'm sure all users who have their accounts attacked now will be oh so grateful for brilliant Professor Dumbjoints!
Anyone that would want to do that would already know this. It's pretty damn simple stuff: Password in cookie, get cookie.
Don't get your panties in a jumble because you don't know what's going on.
Posted on: 02/18/12 01:49PM
agreeing with interneth86machine - it's very basic.
think this needs to be linked: www.owasp.org/index.php/Cheat_Sheets - Security cheat sheets by the "Open Web Application Security Project". Plenty of valuable information there to sift through and check against.
also, for good password hashing, crypt() ftw.
php.net/manual/en/function.crypt.php
personally I prefer hashing using $6$rounds=6000$somecrazylongsalthere$
think this needs to be linked: www.owasp.org/index.php/Cheat_Sheets - Security cheat sheets by the "Open Web Application Security Project". Plenty of valuable information there to sift through and check against.
also, for good password hashing, crypt() ftw.
php.net/manual/en/function.crypt.php
personally I prefer hashing using $6$rounds=6000$somecrazylongsalthere$
Posted on: 02/18/12 03:57PM
This thread has long since served its purpose and should have been closed a long time ago.
Add Reply