Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Manager and web: don't pass authenticator to account_finish.php #4092

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

davidpanderson
Copy link
Contributor

If you attach to a project using the Manager, as a "new user",
the Manager finishes the process by opening a browser window
to account_finish.php on that project,
which asks you for your name, country, and (optionally) postal code.
It passes the authenticator to this script;
this could be viewed as a security risk.

I changed things so that:

  • the Manager doesn't pass the authenticator
  • account_finish.php asks you to log in (with email/passwd).

Compatibility issues:
Old manager, new project: no problem. User will see login form.
New manager, old project: user will see confusing "no such user" message

If you attach to a project using the Manager, as a "new user",
the Manager finishes the process by opening a browser window
to account_finish.php on that project,
which asks you for your name, country, and (optionally) postal code.
It passes the authenticator to this script;
this could be viewed as a security risk.

I changed things so that:
- the Manager doesn't pass the authenticator
- account_finish.php asks you to log in (with email/passwd).

Compatibility issues:
Old manager, new project: no problem.  User will see login form.
New manager, old project: user will see confusing "no such user" message
@davidpanderson
Copy link
Contributor Author

I'm not sure this is worth doing. If a hacker could intercept the authenticator, they can intercept the email/password, and use that to get the authenticator.

@TheAspens
Copy link
Member

I'm not sure this is worth doing. If a hacker could intercept the authenticator, they can intercept the email/password, and use that to get the authenticator.

The risk is not the authenticator (or email/password) being intercepted. The risk is that the PHP script treats the authenticator as a full authentication token (i.e. grants full access to the users account). Thus if someone obtains someone else's authenticator, then they can use the account_finish.php to gain full access to the account.

@davidpanderson
Copy link
Contributor Author

The login script (login_action.php) lets you use the authenticator in place of password. This serves two purposes: a) if a user has forgotten their password and their email addr no longer works, they can still log in; b) it lets project admins log in as a user, e.g. to debug problems.

@AenBleidd
Copy link
Member

@davidpanderson, @TheAspens
Hm, what about changing the logic of all this?

  • leave old behavior as-is and implement new changes for new version of server software (I believe there is some versioning, if not - it's a good time to add it)
  • use authenticator to finalize account creation but mix it with some salt and use it only once?
  • remove an ability to login with authenticator only (generate some one-time recovery codes if user forgot his email/password
  • remove an ability for project admins to login with authenticator as a users because it's a potential security vulnerability: no one except user can login as a user.

@davidbolvansky
Copy link
Contributor

davidbolvansky commented Nov 20, 2022

New manager, old project: user will see confusing "no such user" message

We (Fitcrack developers) currently see similar issue - "no such account" as auth is empty string, somehow... When attaching to project, the account creation is broken on Windows. On Mac, no issues.

Repro project url: https://live.fitcrack.cz/fitcrack

@davidpanderson
Copy link
Contributor Author

I couldn't reproduce this; "new user" attach on Windows worked OK.

@davidbolvansky
Copy link
Contributor

davidbolvansky commented Nov 20, 2022

My steps:

  1. Enter project URL: https://live.fitcrack.cz/fitcrack
  2. Then:
    image
  3. Then Finish
    image
  4. Chrome opens with URL: https://live.fitcrack.cz/fitcrack/account_finish.php?auth=
    image

Windows 8.1, Boinc 7.20.2

Macbook M1 Pro with 7.20.2: No issues.

@davidbolvansky
Copy link
Contributor

I couldn't reproduce this; "new user" attach on Windows worked OK.

Ah yeah, debugged it - this is related to special characters. Created: #5024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants