Tech Off Thread

6 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Security concerns over popular forum management software / IE7 needs to step up

Back to Forum: Tech Off
  • User profile image
    Bugslayer

    I have noticed a number of installations of a particular forum management software product that does not secure the user registration or login.

    User beware!  NEVER, EVER, EVER reuse an important user name or password.

    Discussion

    Registration

     

    This is the HTML of the registration page that submits the user credentials to the server.

     

    <form action="http://www.XXXXX.net/XXXXXX/index.php" method="post" name="REG" onsubmit="return Validate()" ID="Form1">

    <input type="hidden" name="act" value="Reg" ID="Hidden1"/>

    <input type="hidden" name="termsread" value="1" ID="Hidden2"/>

     

    Truncated for brevity

     

    Login

     

    On the front page of the forum there are two methods to log in.

    1. The Welcome Guest banner
    2. The Welcome back banner

    #1 Clicking ‘Log In’ brings up an insecure form...

     

    <form action="http://www.XXXX.net/XXXXXX/index.php?act=Login&amp;CODE=01" method="post" name="LOGIN" onsubmit="return ValidateForm()" ID="Form1">

          <input type="hidden" name="referer" value="http://XXXX.net/XXXXX/index.php" ID="Hidden1"/>

          <div class="borderwrap">

    Truncated for brevity

     

    #2 This is the HTML of the banner login (next to the ‘Go’ button):

     

    <form action="http://www.XXXXX.net/XXXXX/index.php?s=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&amp;act=Login&amp;CODE=01&amp;CookieDate=1" method="post" ID="Form2">

          <input type="text" size="20" name="UserName" onfocus="this.value=''" value="User Name" ID="Text2"/>

          <input type="password" size="20" name="PassWord" onfocus="this.value=''" value="ibfrules" ID="Password2"/>

          <input class="button" type="image" src="style_images/ipb_skin/login-button.gif" ID="Image1" NAME="Image1"/>

    </form>    

     

    Security

     

    Notice that in all three cases the action= of the form is to post to an http:// protocol URL.  This causes the contents of the input controls to be sent as clear text across the web to the runehq.net server-side validation process.

     

    This must be changed to prevent man-in-the-middle attacks, credential snooping, and runehq falling prey to an impersonation attack.

     

    This software needs to post user credentials across an https:// protocol (so the data is contained in an SSL encrypted stream).

     

    While it is possible to change the action= of the form to point to an https:// URL to secure the posting, there are security risks associated with including a secure form on an non-secured (http://) page.

     

    To be completely secure, a login web page must be delivered to the browser over an https:// protocol.

    Here’s why…  A man-in-the-middle attack can inject code onto a web page that changes the page via a JavaScript injection.   These attacks typically change the onsubmit= to point to a piece of JavaScript code that can post the credentials to a rogue site and then to the intended site.  Delivering the page via SSL prevents this injection.

     

    Because the SSL overhead is significant, login web pages should be as light-weight as possible (no sense encryption huge bitmaps, etc) to keep the performance impact to a minimum.

     

    I don't want to rehash the argument, but I would give my $495 MS Tshirt if IE7 would provide visual cues when a form is secure/insecure (I propose a mod to the chrome or submit button).  Yes, yes, it should be conservative and never have a false-positive (indicating a form is secure when it is not).

  • User profile image
    W3bbo

    Uhm... you're scaremongering over a forum software that doesn't use HTTPS when collecting registrations or logging in?

    Welcome to the Internet, I'm a member of more than 20 forums and only 2 or 3 use HTTPS anywhere. The risk of packet intercepts is very remote and nothing to worry about.

    EDIT: You write that HTTPS incurrs an overhead, and that HTTPS pages shouldn't contain images because they get encrypted. Uhm... are you sure you know how HTTP even works?

  • User profile image
    SlackmasterK

    Bugslayer wrote:
    I don't want to rehash the argument, but I would give my $495 MS Tshirt if IE7 would provide visual cues when a form is secure/insecure (I propose a mod to the chrome or submit button).  Yes, yes, it should be conservative and never have a false-positive (indicating a form is secure when it is not).

    You paid $495 for a T-shirt?

  • User profile image
    Bugslayer

    W3bbo wrote:
    Uhm... you're scaremongering over a forum software that doesn't use HTTPS when collecting registrations or logging in?

    The forums in question are support forums for a for-fee service.  The risk of having an account compromised can result in charges being billed to my account.
    W3bbo wrote:
    The risk of packet intercepts is very remote and nothing to worry about.

    Hmmm.... don't know quite what to say.  Perhaps my vantage point has shown me that man-in-the-middle exploits occurs more frequently than you will accept.  Promiscuous mode snooping (cable mode, rogue employee) is a primary threat to any clear-text data.
    W3bbo wrote:
    Uhm... are you sure you know how HTTP even works?

    Yes.  


  • User profile image
    Bugslayer

    SlackmasterK wrote:
    You paid $495 for a T-shirt?



    http://channel9.msdn.com/ShowPost.aspx?PostID=197242#197242

  • User profile image
    Sven Groot

    W3bbo wrote:
    EDIT: You write that HTTPS incurrs an overhead, and that HTTPS pages shouldn't contain images because they get encrypted. Uhm... are you sure you know how HTTP even works?

    He is correct in this regard. While it's possible to put images on an HTTPS page that come from an HTTP source, there's serveral problems with this, one is the "do you want to show insecure items" warning and another is that the user has no way of knowing what items are insecure (there are other issues too). So you should keep everything used by an HTTPS page on HTTPS. And encrypting does incur overhead, so his point is valid.

    I use different passwords on every site, so I'm not much bothered by forums not using HTTPS though.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.