Hi ,
> Hi,
>
> Lorenzo Hernandez Garcia-Hierro wrote:
> > Hi,
> >
> > I've started coding the new secuirty library.
> > Please check out or update your copy of the repository.
> > The library will be under /security .
> > Cheers.
> > PS: I modified also the line 382 ( session hashing function ) in
> > /include/session.php to use a more complex
> > hashing method.
> > Please , refer to the CVS for more information.
>
> I have a few comments regarding your changes:
>
> 1) Your change to frontend/php/include/session.php (in
> session_set_new()) completely breaks session handling - time()
> does not accept parameters. I believe you meant to use gmtime()
> here, no?
I am sorry about that i made a mistake.
Yes , use gmtime instead.
> 2) Your use of md5() is confusing. md5() is not a crypt()-like
> function. It simply hashes a string - no salt is needed.
> Furthermore, the second [boolean] parameter to md5() enables
> raw-binary (as apposed to hexadecimal) representation of the MD5
> sum (which, in turn, completely changes the function of
> session_set_new() and not just the algorithm it uses).
>
>
cryp method uses "single line" encryption , there is no key to encrypt .
md5 hashes a string when given to the function ( md5($string) ) .
i refer to a book: Ed. Ra-Ma Cryptography for Data Protection :
( spanish book ):
md5 is used to give hash from a plain string , md5 has the possibility of
include a salt based on another string
that must be an epochtime salt ( epochtime ouput or similar ) and a random
num,ber salt.
It is simple, md5 hashes the $pre_hash and $truluxalt.
the salt is only for provide more entropy to the generated hash.
and i made this because this "little" porblem:
/account/login.php t line 91 we have a funny function that we can use to
delete other users session hashes.
this is the buggy code:
-SNIP-
if ($session_hash)
{
#nuke their old session
session_cookie('session_hash','');
db_query("DELETE FROM session WHERE session_hash='$session_hash'");
}
-SNIP-
understanding the "nuke their sesion" :)
just send a request or write a script to send requests with random session
hashes or
simply use * wildcard , or try to inject SQL queries.
we can set session_hash to anything we want .
----
I think Mathiu removed that function but there was in.
session_set_new is not changed , the has is kept in the database and
compared with the user data.
> Also, your addition of frontend/php/security/security-lib.php (I'm
> talking about the XOR encoding function, here) seems to be aiming more
> toward security through obscurity than... well any other purpose.
XOR is easily decoded , just use perl to do it.
> By using this function you are not only A) telling all search engines
> you do not want their business and B) telling visitors without
> javascript-enabled browsers you do not want their business either.
>
> You are also making any page that Savane generates non-HTML compliant
> for the purpose of "security."
Not all the pages will be encoded.
Security library just adds functions that can be used by including the whole
file and then calling the wanted function.
> There's also a problem (IMHO) with introducing the body of that function
> (_fwk_filter_encrypt) into Savane:
>
> 1) I have seen many revisions of that particular function many times
> in the last couple of years, on example is sitting beside me in a
> PHP book (copyright A-LIST, LLC).
There are many classes that have that function and i based the code in some
of them.
Same as the anti-scripting class which nees gpl'ed font .
> 2) A search on Google for "_fwk_filter_encrypt" bears more examples,
> each with different copyright owners.
Time ago i searched for classes and i know there are many classes that use
it.
> Now, the problem that I have, with this piece of code, is that of
> copyright. Either it is copyright by you (OK) or it is not (not OK).
> If the former, that's cool, you can license the code under any license
> you choose; however, in the latter case you are not the copyright holder
> and therefore cannot place the code under the GPL.
Please , this link will be helpful:
http://lists.netsys.com/pipermail/full-disclosure/2003-October/012133.html
it is a message i posted about a supossed "encryption" weak in
a project i have stopped developing, and the code that is there is the code
i uploaded
to the cvs, so , its mine.
i have seen this : http://cleverscripts.com/index.php?a=cleversource
and the code is there too , i found the class somewhere in hotscripts
possibly.
the code of that was available at sas.nsrg-security.com for some time
before the date that appears in the website as published on :(
so , i will remove it and improve a new code .
> I don't mean the above personally. I'm just concerned that code I have
> seen before (copyright someone else) is now showing up in Savane minus
> that copyright attribution, plus your attribution...
sure you have seen it before , it is a public class .
from now i'll put copyright and details information of each function in
security-lib.php
be sure that if used something copyrighted by other person i advice about it
:
sourceforge.net/projects/honeyweb
a version is based on baby web server ( by pablo vandermeer ) and the asp
parser is completely copyrighted by him
cvs.sourceforge.net/viewcvs.py/honeyweb for modifications.
> Regards,
> Elfyn
Cheers!
PS: think again in adding a salt to session_hash generation.if you want
tell me for do it.
> --
> +------------------------------------------+
> | Elfyn McBratney, EMCB | |
> | mailto:[EMAIL PROTECTED] | (-: |
> | http://www.emcb.co.uk | |
> +------------------------------------------+
>
> This penguin is:
> Linux london 2.6.3-241-emcb i686 GNU/Linux
>
>
>
> _______________________________________________
> Savane-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/savane-dev
>
