Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
Accept cookie authorization only from last user's session host (or IP range) Details »
Accept cookie authorization only from last user's session host (or IP range)
Mod Version: 1.00, by JohnWoo (Member) JohnWoo is offline
Developer Last Online: Apr 2014 I like it Show Printable Version Email this Page

This modification is in the archives.
vB Version: 3.0.0 Rating: (0 vote - 0 average) Installs: 2
Released: 25 Jul 2004 Last Update: Never Downloads: 6
Not Supported  

Hello!

As we all know, native VB authorization have two main weak sides:
- cookie connected only with username (userid)
[if somebody will steal your cookies (all browsers including latest allow to do it very easy), he will be able to enter]
- password string (even md5 hash of password from JS) in post data always same
[is somebody in your network can trace you HTTP headers, he will be able to send same post data and enter]
We can try to fight with first problem connecting cookie stored in browser with users host or, if php on your server have no gethostbyaddr function, with first 3 numbers of IP (IP range).
After installing authorization scenario will be the following:
1. user enter username and password in login form and submit it
2. if password match vb set two cookies:
- userid (number)
- password hash
[md5 hash for the result of concatenation "already hashed password stored in db" + "current user's host or ip range" + "some long string just to be more sure".
But if user host look like "dialaup-1276.something.isphost.com", only "isphost.com" part will be included in concatenation.]
3. If user use cookie authorization, VB will compare cookie send by browser with same md5 hash of same concatenation result. So if cookie comes from different host, user will be forced to enter password again.

Hope that this small hack will make your vb little more secure

PS It is possible to fight easy with second weak side too, but it needs too much files and template changes and explanations and i don't fink that i'll be able to explaing it with my English Sorry

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • If you like this modification support the author by donating.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Comments
  #2  
Old 25 Jul 2004, 14:32
`SLVR`'s Avatar
`SLVR` `SLVR` is offline
 
Join Date: Aug 2003
nice addition
Reply With Quote
  #3  
Old 06 Aug 2004, 16:44
YLP1 YLP1 is offline
 
Join Date: Aug 2004
I am trying to install this mod but the second step of replacing this code:
vbsetcookie('password', md5($bbuserinfo['password'] . ''));

or may be

vbsetcookie('password', md5($bbuserinfo['password'] . 'somerandomstring'));

My version (3.0.03 ) shows this in two instances:

vbsetcookie('password', md5($bbuserinfo['password'] . 'IN HERE IS 8 Characters that I didn't want to post cuz I don't know what they are'), 0);

AND

vbsetcookie('userid', $bbuserinfo['userid'], 0);
vbsetcookie('password', md5($bbuserinfo['password'] . 'HERE IS 8 Characters that I didn't want to post cuz I don't know what they are'), 0


I am afraid to overwrite this piece....any suggestions?
Reply With Quote
  #4  
Old 06 Aug 2004, 17:26
JohnWoo's Avatar
JohnWoo JohnWoo is offline
 
Join Date: Jan 2002
I have not seen 3.0.03 yet...
But vbsetcookie function in Gold with last zero as parameter, set cookie that will disappear after closing browser, so i understand nothing and can suggest nothing. Sorry
Reply With Quote
  #5  
Old 08 Aug 2004, 12:26
MrZeropage's Avatar
MrZeropage MrZeropage is offline
 
Join Date: Nov 2003
Real name: Marcel
somerandomstring is called "salt" in vBulletin 3.0.3 and is a random string of three characters.

The password is hashed like this: md5(md5($bbuserinfo['password'] . $bbuserinfo['salt'])) so md5 is used twice, once the password is hashed and then the "salt" gets added and then the whole things gets hashed again, and this hash is stored in the database.
Reply With Quote
  #6  
Old 08 Aug 2004, 14:00
JohnWoo's Avatar
JohnWoo JohnWoo is offline
 
Join Date: Jan 2002
Yes, but for cookie authorization vb3 use another random string It is not stored in db and i feel that it connected with licence number somehow
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 01:15.

Layout Options | Width: Wide Color: