Acmlm's Board - I3 Archive -- HTML on the reply page -- New Reply

~~(Link to AcmlmWiki)~~ Offline: thank ||bass

Register \| Login
Views: 13,040,846	Main \| Memberlist \| Active users \| Calendar \| Chat \| Online users Ranks \| FAQ \| ACS \| Stats \| Color Chart \| Search \| Photo album	07-03-24 04:35 PM

0 users currently in Help, Suggestions, Bug Reports.

Acmlm's Board - I3 Archive - Help, Suggestions, Bug Reports - HTML on the reply page

User name:

Password:

Reply:

Options:

Disable Smilies - Disable Layout - Disable HTML

Quik-Attach:
Preview for more options

Max size 1.00 MB, types: png, gif, jpg, txt, zip, rar, tar, gz, 7z, ace, mp3, ogg, mid, ips, bz2, lzh, psd

User	Post
Xkeeper Posts: 4599/5653	Originally posted by HyperHacker Hm, you're right. Come to think of it there's really no way to prevent having to log in every session without people being able to do just that, except locking the session ID to an IP address which is no good for dynamic IPs. :-/ I figured that's what things like VBulliten and PHPBB did, but looks like they just store a user ID and password hash. I was considering adding some salt to the MD5 hash the cookie stores, but I ran into that same problem -- it has to be unique to each user. IPs would work, but then you have the dynamic IP problem.
HyperHacker Posts: 4023/5072	Hm, you're right. Come to think of it there's really no way to prevent having to log in every session without people being able to do just that, except locking the session ID to an IP address which is no good for dynamic IPs. :-/ I figured that's what things like VBulliten and PHPBB did, but looks like they just store a user ID and password hash.
emcee Posts: 673/867	Then how does that prevent people from stealing cookies and using them as their own?
HyperHacker Posts: 4014/5072	Originally posted by emcee Wouldn't that make it so you would have to constantly re-login? How would the server start a new session after the last one expired without the password? It wouldn't. You'd just make them last a long time, or however long the user chooses on the login page. Despite their name, session IDs can span multiple sessions.
emcee Posts: 662/867	Even in layouts?
Xkeeper Posts: 4524/5653	Or I could just filter < to <. Seriously, your solutions are all crap.
emcee Posts: 659/867	Wouldn't that make it so you would have to constantly re-login? How would the server start a new session after the last one expired without the password?
HyperHacker Posts: 3997/5072	I think the best solution is to not store passwords in the cookie at all, but rather session IDs. Cookies store user IDs and decrypting the password is pretty easy.
emcee Posts: 651/867	Yeah, HyperHacker is right. I could actually steal cookies right from the main page. But unlike the password on the reply page, the password in the cookie appears to be encrypted to some extent. I tried decrypting it using the function shdec from functions.php, but it didn't seem to work, maybe it's outdated. Of course, it's not really necessary to decrypt it, all you have to do is use the cookie like it's your own. But it still wouldn't help to steal on the main page or from a post, since it would be kind of hard to determine whose cookies are whose. Instead, you could just put the code in a pm and wait for them to read it. Maybe the best solution is to store the password in the cookie and html with one way encryption (I don't how this is done in php, but in perl it just crypt(password,salt)). Then, to validate it encrypt the password on the server the same way and compare. Then, just check the referrer to make sure it's coming from the right site. That would completely solve the problem.
Metal Man88 Posts: 409/701	Eh, I can't see it happening any time soon. Most people prefer to register en masse and post garbage... hijacked accounts, I think, are a rarity.
pikaguy900 Posts: 391/748	Ummm... It's easy to steal them while replying? shudders Why not just take away that part that has your username and password inputted to post? You could have that page simply check to see who is logged in when you post, and whoever you're logged in as, that's the username that'll appear. I know they never ask for your username when posting on any other board, even if you're logged in.
Xkeeper Posts: 4494/5653	I have an even simpler solution. Actually doing it is another matter entirely.
HyperHacker Posts: 3977/5072	I imagine some of these methods would be exploitable on pretty much any page to grab cookies. Unless you're thinking of one particular method I just thought of that would be nearly impossible to actually pull off.
emcee Posts: 650/867	Even with the filters its still very easy to steal passwords. There are several ways in IE, and at least one that I tested that works on Firefox. And they're all just one simple line of code. There's even a way of doing it that doesn't involve javascript at all. Although it's a bit more complicated. Simple solution: Disable html in the overview of the thread shown on the reply page.

Acmlm's Board - I3 Archive - Help, Suggestions, Bug Reports - HTML on the reply page

ABII
for ever and ever, amen

Acmlmboard 1.92.999, 9/17/2006
©2000-2006 Acmlm, Emuz, Blades, Xkeeper

Page rendered in 0.010 seconds; used 357.48 kB (max 404.88 kB)