Comments (5)
DanWin
commented on May 24, 2024
What exactly do you mean? It is possible to login from multiple locations at once, yes. For that you need to have a matching username / password combination or somehow get access to the other users session ID. This also applies to guest users.
At least on the installation you are referring to, passwords may be left empty by guests, which might or might not be what you are actually pointing out here.
from le-chat-php.
bakertaylor28
commented on May 24, 2024
What I was noticing is that, assuming a guest user name that does not have
a password in the database, that the php script disregarded
the session cookie entirely and allowed the data to propagate across
multiple sessions. Hypothetically if "target" is a guest client using
username "test"
which is a guest user name that does not have a password, and I am
accessing the php chat script with a second machine as separate unique
client (i.e. attacker), if I then log into the chat as a guest using the
name "test" I could then see all of the user data for "test" as well as
impersonate "test" on the server. This was done WITHOUT attacking the
client's ("target's") session cookie in any material way in the proof of
concept. ( The exploit seems to have been closed on Daniel's chat
implementation on 02/19/2019 inadvertently by a moderator.) It was as if
the login was not looking up in the database to see that "test" was a user
name that is currently logged into the system.
…On Wed, Feb 20, 2019 at 1:50 PM Daniel Winzen ***@***.***> wrote:
What exactly do you mean? It is possible to login from multiple locations
at once, yes. For that you need to have a matching username / password
combination or somehow get access to the other users session ID. This also
applies to guest users.
At least on the installation you are referring to, passwords may be left
empty by guests, which might or might not be what you are actually pointing
out here.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#53 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AV-Z8mHwM5wSNDCD9XpK-RuR-t4iaj_Zks5vPacSgaJpZM4bD3aM>
.
from le-chat-php.
DanWin
commented on May 24, 2024
I see, this is not a bug, but a feature. Suppose the session timeout is 20 minutes and your browser crashes, you will have to log back in to another user if logging back in to the same user was not allowed. This is why logging in to an already logged in user is a necessary feature. It will also allow you to work across devices, without having to logout. I agree, letting a guest have a weak/empty password is not really a good thing and thus it's an option that can be changed. However I'm tired of receiving several mails per week, asking for a password, when the login page already tells those users to choose one. Thus I have disabled the strong password requirement on the chat you named as example.
In your own chat setup, you can change the option "Minimal password length" as well as "Password regex" to define your own rules on how long passwords have to be and which complexity they need to have, like checking that they have upper-/lowcase characters, numbers and special characters.
from le-chat-php.
bakertaylor28
commented on May 24, 2024
That very much is a bug when the feature can't be easily turned off and in
the context of Tor it is a serious security risk because of the fact that
the host sees the remote IP as being local-host as opposed to an exit node.
(which means that, theoretically, everyone has access to the same PHP
session cookie.) The proper way of logging in across multiple devices is
not to use the session cookie but rather to validate IP address or some
other information that quasi-identifies a user which can be stored in an
SQL database. Regex, while fine for validation of data, is also a bad idea
when it comes to SQL sanitation. (Basics of SQL injection and read the PHP
docs).
If you are hellbent on keeping it, I would recommend on at least
thoroughly document it and how to turn it off completely.
…On Sun, Feb 24, 2019 at 5:47 AM Daniel Winzen ***@***.***> wrote:
I see, this is not a bug, but a feature. Suppose the session timeout is 20
minutes and your browser crashes, you will have to log back in to another
user if logging back in to the same user was not allowed. This is why
logging in to an already logged in user is a necessary feature. It will
also allow you to work across devices, without having to logout. I agree,
letting a guest have a weak/empty password is not really a good thing and
thus it's an option that can be changed. However I'm tired of receiving
several mails per week, asking for a password, when the login page already
tells those users to choose one. Thus I have disabled the strong password
requirement on the chat you named as example.
In your own chat setup, you can change the option "Minimal password
length" as well as "Password regex" to define your own rules on how long
passwords have to be and which complexity they need to have, like checking
that they have upper-/lowcase characters, numbers and special characters.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#53 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AV-Z8pxXH-3g2jNHig2Q0gkyX_M6GWGpks5vQnvngaJpZM4bD3aM>
.
from le-chat-php.
DanWin
commented on May 24, 2024
Like I stated previously, it's an easy to change setting that can be changed by an admin, by requiring a password and not allow an empty one.
In context of Tor, we have little to no data to identify a user. Everyone looks the same, there are no IPs and (hopefully) the majority will use TorBrowser. The only thing that can be done is to not allow re-logging in to a user when there is already someone logged in on that name, which would however also mean, that if a user restarts the browser, they will be forced to change to a new user.
As for the regex, it's not used for sanitation. It is only used to enforce a specific pattern to be used in passwords, e.g. not to allow passwords that have only lowercase characters, but no numbers or uppercase characters. SQL sanitation is done using PDO prepared statements.
from le-chat-php.
Related Issues (20)
- is it possible loading videos like pictures? HOT 2
- Security Issue HOT 1
- Sending a message gives me "session expired" HOT 1
- Add a Report button for links
- User friendly nickname filter
- Markdown support HOT 1
- Vulnerable Moderator Approval and Captcha HOT 2
- SQL errors at guest login HOT 8
- Fail to deploy le-chat-php to Replit HOT 3
- .
- Kick all guests does not work HOT 1
- [Locale] Add locales for Hindi Language HOT 4
- php 8.1 or 8.2 HOT 13
- Like system
- Error when mbstring extension is not installed HOT 1
- Error when intl extension is not installed HOT 1
- i paid for member login privileges and I'm not able to log in. HOT 1
- Error when gettext extension is not installed
- Vercel Deployment
- Add end to end Encryption
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from le-chat-php.