[pmwiki-users] UserAuth2 authentication problem

ThomasP pmwikidev at sigproc.de
Mon Dec 3 09:07:46 CST 2007


> On Dec 3, 2007 8:27 AM, ThomasP <pmwikidev at sigproc.de> wrote:
>
>> Hi,
>>
>> > On Dec 3, 2007 7:15 AM, ThomasP <pmwiki at sigproc.de> wrote:
>> >
>> >> The error message refers (exclusively) to the case when characters
>> are
>> >> discovered in the request variables that could be used for cross-site
>> >> scripting attacks, i.e. the html special chars, < > &
>> >>
>> >> (cf. functions isSecure and fetchRequestVariables in userauth2.php
>> and
>> >> userauth2-admintool.php, resp.).
>> >>
>> >> It is a bit strange how such bad input could arise in your special
>> case,
>> >> since generally no password is transmitted in the request variables.
>> >> (That
>> >> would have been a likely suspect, as all other data is usually
>> "clean".)
>> >>
>> >> What we can do to dig into the problem is the following:
>> >>
>> >> In userauth2.php:
>> >>
>> >> place "return true;" as the first line in isSecure(..).
>> >>
>> >> In userauth2/userauth2-admintool.php:
>> >>
>> >> place code like
>> >>
>> >> foreach($_REQUEST as $k => $v) {
>> >>  echo htmlspecialchars("$k => $v")." <br>\n";
>> >> }
>> >>
>> >> before fetchRequestVariables(...), about line 202, and let's see what
>> we
>> >> get. (Will additionally produce some error "Could not set session
>> >> cookie"
>> >> - that's normal.)
>> >>
>> >> ThomasP
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> > Thanks for helping, Thomas.
>> >
>> > By merely changing the line in userauth2.php, I can now access the
>> admin
>> > panel, so apparently that is it.
>> >
>> > This is what it outputs at the top:
>> >
>> > action => admin
>> > comment_author_email_7a54e626318c61b14297179ac4d8d604 =>
>> ve4grm at gmail.com
>> > dbx-postmeta => grabit:0 |1-|2-|3-|4-|5-|6-&advancedstuff:0-|1-|2-
>> > __utma => 210116807.2031531056.1194833528.1196647815.1196657459.89
>> > __utmz => 210116807.1196273473.74.10.utmccn=(referral)|utmcsr=
>> > 74.220.207.109:2082|utmcct=/awstats.pl|utmcmd=referral
>> > comment_author_7a54e626318c61b14297179ac4d8d604 => ve4grm
>> > __utmc => 210116807
>> > dbx-pagemeta => grabit:0-|1-|2-|3-|4 |5-|6-&advancedstuff:0-
>> > wordpress_test_cookie => WP Cookie check
>> > wordpressuser_7a54e626318c61b14297179ac4d8d604 => ve4grm
>> > wordpresspass_7a54e626318c61b14297179ac4d8d604 =>
>> > 336405dc3d5ada22ccc3e26361c25708
>> > PHPSESSID => 86ce2b7e48ade35b770d3c3008f59722
>> > tz_offset => -21600
>> > PHPSESSIDF50597B6B51A4E9376AC9B8BD5700AF7 =>
>> > fddf7eaeabf323b9abb88f9a9d328183
>> >
>> > There is a Wordpress installation in the root directory, and PmWiki is
>> in
>> > a
>> > subdirectory.  It looks like the cookies are conflicting, I suppose?
>> >
>> > Graham
>> >
>> >
>> >
>>
>> well, it is surely not yet the final solution, as giving up the security
>> for functioning would not really seem the option for me. And the
>> isSecure() function is indeed the one and only blocker against tag
>> attacks
>> - later code tests only on a logical level.
>>
>> One way that fits your case and preserves the security will be just to
>> move the code
>>
>>    if (!isSecure($key) || !isSecure($value)) {
>>      PrintAdminToolPageAndExit( $pagename, $InsecureInputFmt );
>>    }
>>
>> in fetchRequestVariables() directly below
>>
>> if (isset($AllowedReqVarValuesRegExp[$key])) { // line 154?
>>
>> and (second copy) below
>>
>> if (preg_match("/^$allowed_key$/", $key, $matches)) { //line 162?
>>
>> This way only userauth2 relevant request array keys that have the
>> potential to be captured are checked for bad characters.
>>
>> I will upgrade the 2.1-beta0 version, but if you could build it into
>> your
>> version and test it that would be great.
>>
>> Thomas
>>
>>
>>
>
> Thanks for the quick replies.  The fix works perfectly, as far as I can
> tell.
>
> I never intended to stay with the security off, but for the moment it is a
> private wiki, so it would have sufficed.
>
> Thank again,
>
> Graham
>
>
>

Ok,

I will put it in in future versions.

Thomas

BTW: I think you got a load of same emails from me. I had wondered why I
did not see my own mails on the list, and had supposed a list restriction
due to wrong sending address (have changed my setup recently), therefore
trying other "from" addresses.




More information about the pmwiki-users mailing list