Re: [Phpgroupware-users] admin authentication hole

[Chris Weiss]

>>When i hit "back" it tells me the page has expired.  Refresh and it asks me to
>>repost the form (the login form) so in effect I am logging in again.
>>
>See above re: your cache setting.  You should *never* be able to
>reauthenticate by reposting a browser form.  This is not security, it's
>a hole.

exacltly how do you propose "we" do this?  There is NO WAY AT ALL to tell the
difference between an actuall POST and a refreshed POST.

>
>>
>>
>>So either I am not experiencing the same thing as you, or you have a great
>>missunderstanding about how web based apps and browsers work.  It's really 
>>rather
>>simple, they do what you tell them to.  You tell it to repost a form it's 
>>gonna do
>>it.  On the server there is no way at all of telling weather you clicked 
>>submit or
>>told IE to go ahead and repost through a refresh, it all looks the same.
>>
>Right, tell me I don't understand and blame a browser version without
>even checking your own browser by changing a setting.  Is this too much
>trouble for you to do?    I do understand that when a person clicks
>Logout, they should be logged out, and there should be no way in hell a
>person can walk up to my browser and get back in and change
>configuration settings for an application.   Or to have two passwords
>which supposedly are protecting data when they do no such thing.  I
>suppose I will log this to BugTraq since posting this here is obviously
>being ignored, and then you can tell the world how they don't understand
>browsers and everything will be OK from your perspective.

Obviously it's not being ignored, at least one person is responding in what 
amounts
to a very short period of time.  And given that I've been developing web based 
apps
since Netscape 2.0 was brand spanking new I do know how this stuff works.  A 
POST
is a POST.  Period.  You want a secure logout, close your browser, even a Online
bank tells you this, I'm not just pulling it out of my ass.  So I geuss the
solution is that phpGW *should* tell people this too.  Does that mean will do 
it?
If not is it still our fault?

>>So maybe there needs to be a blurb on the login screen wanring people to not 
>>use
>>back buttons?  In general back buttons are very bad in web apps.  they are 
>>not to
>>be used unless there is no other way.  I learned this many years ago and I 
>>guess
>>many of us take this for granted.
>>
>How about a blurb not to use phpGroupWare until it's obvious security
>holes are fixed?   Or a "please, don't hack this product, it has
>security holes but please don't try to break it."  That should do it.
>  :-)

The only way to "hack" the hole you talk about is for me to walk up behind you
after you logout and left your browser open to the login page.  It's a meat 
space
hack due to a "convenience" feature in browsers.

The only "hackable bug" you've got here is that browsers let you repost form 
data
unmodified.

>
>Patrick Price
>Senior UNIX Systems Administrator
>West Virginia University
>
Only a Unix admin?  I admin all os's.  Name one.  I fully understand all the
security and programming issues at hand here, to the point that I can write 
both a
http server and a http client from scratch if I wanted to.  Please stop calling 
me
an idiot.


Chris Weiss
CIO/CSO/Lead Programer
Wilson Mfg. Co.