09 Secure Yer Cookies 2

Started by Mindless, July 20, 2012, 09:20:49 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

sharpie

is there a guide to do this with tbdev 08 please

thanks

Mindless

Secure check for ip to cookie to hamper cookie theft. For full ip checking. Credits to soft for posting this. Updated For 09

@File takelogin.php :

Find this :
Code (php) Select
logincookie($row["id"], $row["passhash"]);


Change to :
Code (php) Select
$passh = md5($row["passhash"].$_SERVER["REMOTE_ADDR"]);
logincookie($row["id"], $passh);



@File bittorrent.php inside userlogin() :

Find this:
Code (php) Select
if (get_mycookie('pass') !== $row["passhash"])
return;



Change to :
Code (php) Select
if (get_mycookie('pass') !== md5($row["passhash"].$_SERVER["REMOTE_ADDR"]))
return;



@File takeprofedit.php :

Find this :
Code (php) Select
logincookie($CURUSER["id"], $passhash);


Change to :
Code (php) Select
logincookie($CURUSER["id"], md5($passhash.$_SERVER["REMOTE_ADDR"]));


Remember you may need to delete old cookies after implementing the passhash code - I have verified it now on localhost and server with only the shortened octet code giving issue on local.

You will find that after implementing this code, again all users will have to re-log back in (the missing hashv on initial entry will force a login).

Now, someone can steal your passhash and it should prove a fruitless venture.

Credits to Retro :)
Updated to work with 09

@file bittorrent.php add :
Code (php) Select
function hashit($var,$addtext="")
{
return md5("Th15T3xt".$addtext.$var.$addtext."is5add3dto66uddy6he@water...");
}



Find :
Code (php) Select
if ( !$TBDEV['site_online'] || !get_mycookie('uid') || !get_mycookie('pass') )
        return;
    $id = 0 + get_mycookie('uid');
    if (!$id || strlen( get_mycookie('pass') ) != 32)
        return;



Change to :
Code (php) Select
if (!$TBDEV['site_online'] || !get_mycookie('uid') || !get_mycookie('pass')|| !get_mycookie('hashv') )
       return;
    $id = 0 + get_mycookie('uid');
    if (!$id OR (strlen( get_mycookie('pass') ) != 32) OR (get_mycookie('hashv') != hashit($id,get_mycookie('pass'))))
       return;



Find :
Code (php) Select
function logincookie($id, $passhash, $updatedb = 1, $expires = 0x7fffffff)
{
    set_mycookie( "uid", $id, $expires );
    set_mycookie( "pass", $passhash, $expires );
    if ($updatedb)
      sql_query("UPDATE users SET last_login = ".TIME_NOW." WHERE id = $id");
}



Change to :
Code (php) Select
function logincookie($id, $passhash, $updatedb = 1, $expires = 0x7fffffff)
{
    set_mycookie( "uid", $id, $expires );
    set_mycookie( "pass", $passhash, $expires );
    set_mycookie( "hashv", hashit($id,$passhash), $expires );
    if ($updatedb)
      sql_query("UPDATE users SET last_login = ".TIME_NOW." WHERE id = $id");
}



Find :
Code (php) Select
function logoutcookie() {
    set_mycookie('uid', '-1');
    set_mycookie('pass', '-1');
}



Change to :
Code (php) Select
function logoutcookie() {
    set_mycookie('uid', '-1');
    set_mycookie('pass', '-1');
    set_mycookie('hashv', '-1');
}



Also another addition to security

(credits to : credits to Retro and djGrrr for improving it, i just simplified it - jaits) it is to prevent class escalation in case you have missed an update injection:
in userlogin function in include/bittorrent.php, Add this and make sure its under the user select query :

   
Code (php) Select
if ($row["class"]>=UC_STAFF){
$allowed_ID =  $TBDEV['allowed_staff']['id'];
if (!in_array(((int)$row["id"]),$allowed_ID,true)){
$msg = "Fake Account Detected: Username: ".$row["username"]." - UserID: ".$row["id"]." - UserIP : ".getip();
write_log($msg);
/** Demote and disable **/
        sql_query("UPDATE users SET enabled = 'no', class = 0 WHERE id =".sqlesc($row["id"])."") or sqlerr(__file__, __line__);
        logoutcookie();
}
  }


@File include/config.php add - note add all your staff id's into the array :

Code (php) Select
$TBDEV['allowed_staff']['id'] = array(1,2,3,4,5);

Again credits to jaits.
Here's another approach to this mod so you can use either method.
I think users should have as much choice as possible with methods available that secure your tracker.

Make sure you back up your files before trying this as its not tested yet.

Code (sql) Select
ALTER TABLE users ADD loginhash varchar(32) after passhash;

@File include/config.php :

Change the text to something else.. it doesnt matter what it is... this just salts the passhash cookie so that Xss attacks are rendered useless unless someone knows the text and even if they do, the computational power required to brute force crack it is too large compared to the value of the information

Code (php) Select
$TBDEV['salting'] = 'This@is9just[[a=stupid^^text)to(salt--the""cookies;-)';

@File takelogin.php :

This just adds an update on the users table where it just sets the loginhash as the combination of the passhash and the current ip of the users... i'll explain why in the userlogin function

Find

Code (php) Select
logincookie($row["id"], $row["passhash"]);

Replace with:

Code (php) Select
sql_query("UPDATE users SET loginhash='".md5(getip().$row['passhash'])."' WHERE id=$row[id]");
$salted = md5($TBDEV['salting'].$row['passhash']);
logincookie($row["id"], $salted);


In bittorrent.php userlogin function:

Now what we do is check if the passshash is correct (salted passhash now as it was set in takelogin.php) and then we check that the current ip of the user is the same as the one he last logged in from (using the loginhash in the db)... so basically cookie theft is rendered useless unless you know the password (and if you dont you wont go through the takelogin function which wont update the loginhash so they cant use it)... even with an sql injection (select), the passhash is useless unless you have the same ip as the persons passhash you stole.... and even with that you'll need an update and a select injection to sucessfully attack this system which is pretty improbable... even with db access it makes it really hard to login as an another user if you dont know the actual password....find :

   
Code (php) Select
if (get_mycookie('pass') !== $row["passhash"])
  return;


Replace with:

   
Code (php) Select
if (get_mycookie('pass') !== md5($TBDEV['salting'].$row["passhash"]))
  return;

if (md5($ip.$row['passhash']) !== $row['loginhash'])   
return;


This part im taking a guess at how it should be :

@File takeprofedit.php/takeeditcp.php :

Find this :

Code (php) Select
logincookie($CURUSER["id"], $passhash);

Change to :

Code (php) Select
logincookie($CURUSER["id"], md5($TBDEV['salting'].$passhash));

Note this mod is the same as the 2 octet ip to cookie and the full ip to cookie mods posted in main post but its a different approach only i guess.