[SOLVED] How unsecure is this login system?

[ev5unleash]

I was wondering if people could test my login system. This is my first time doing this so it's not going to be great. If people find problems with it please reply to this thread with it and maybe a suggestion.

 

https://www1.ev5unleash.com/supportfiles/esystem/startlogin.php

[justsomeone]

Currently getting the following error when connecting via HTTPS

 

www1.ev5unleash.com uses an invalid security certificate.

 

The certificate is not trusted because it is self signed.

The certificate expired on 25/07/2008 20:29.

 

(Error code: sec_error_expired_issuer_certificate)

 

[ev5unleash]

I know about the HTTPS Connections. I cannot fix it on my Ubuntu Installtion, If anyone has any ideas to make it a good HTTPS connection please reply. I still need people to help me with the login system itself.

[ev5unleash]

Fixed link: http://www1.ev5unleash.com:1212/supportfiles/esystem/startlogin.php

[darkfreaks]

Password type input with autocomplete enabled

Vulnerability description

Password type input named pass from form named form1 with action 453456database4945093.php has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache.

This vulnerability affects /supportfiles/esystem/startlogin.php.

The impact of this vulnerability

Possible sensitive information disclosure

How to fix this vulnerability

The password autocomplete should be disabled in sensitive applications.

To disable autocomplete, you may use a code similar to:

<INPUT TYPE="password" AUTOCOMPLETE="off">

 

 

 

Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1

This version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until not it was not classed as security vulnerability as an attacker has no way to influence the Expect header a victim will send to a target site. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as the client browser is IE or Firefox, and it supports Flash 6/7+). Affected Apache versions (up to 1.3.34/2.0.57/2.2.1). This vulnerability affects Web Server.

The impact of this vulnerability

Malicious users may inject JavaScript, not allowed, ActiveX, HTML or Flash to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

How to fix this vulnerability

Upgrade to the latest Apache versions. This flaw has been corrected in Apache versions (1.3.35/2.0.58/2.2.2)

Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability

This alert was generated using only banner information. It may be a false positive. A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures. Affected mod_ssl versions (up to 2.8.17). This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

How to fix this vulnerability

Upgrade mod_ssl to the latest version.

 

HTTP TRACE method is enabled on this web server.

In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. This vulnerability affects Web Server.

The impact of this vulnerability

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data.

How to fix this vulnerability

Disable TRACE Method on the web server.

 

 

 

[ev5unleash]

Thanks Darkfreaks! I'm fixing the problems at the moment. I will post again with all of the problems fixed.

 

[ev5unleash]

How do you disable TRACE in Apache 2?

[darkfreaks]

Traditionally experts will suggest to disable this using some rewrite rules like:

 

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^TRACE

RewriteRule .* - [F]

(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

 

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:

TraceEnable off

This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

[ev5unleash]

If you want to login the user is betauser and pass is 1234. Any ideas on how to send a phpfile the username and password without putting it in the URL box?

[darkfreaks]

cant it uses HTTPS connection and it keeps failing

 

 

let me know when Trace methods are disabled

 

if you are using mod_ssl  to request HTTPS conection i suggest you read the FAQ

 

http://www.modssl.org/docs/2.8/ssl_faq.html

[ev5unleash]

The secure connection works perfectly, I fixed the Trace problem (following tutorials) it's not really a big deal since my login system stores no cookies on the client anyway. Make sure you erase the :1212 port from the url then so https:// like https://www1.ev5unleash.com/supportfiles/esystem/startlogin.php

[darkfreaks]

i do not follow what you are saying? what :1212 part?

 

 

Also i have Verified you have correctly disabled Trace methods through your web server

 

 

 

[ev5unleash]

Go to the URL to use the HTTPS Connection of the login. Please try the login and give me suggestions to change. I already notice that when you login it get's placed in the URL (?user=betauser&=pass=1234) any suggestions.

[darkfreaks]

never mind you could encrypt the information

Like:

 

 

<?php
$pass=md5($_POST['pass']);
?>

 

 

this will encrypt the password into MD5 Hash in the url 

[ev5unleash]

Yeah, I know. I have remake it with a vaild one. I really don't feel like it right now. Just test the system lol.

[darkfreaks]

*points up*

[ev5unleash]

I put that in the form but it still does not encrypt it.

[darkfreaks]

have you tried using UTF8_encode() function?

[ev5unleash]

Where would I put that at?

 

 

Info about my login system

 

 

Login (username and password) > check with the username database > if correct check with the usernames password files> if correct redirect to the users custom page

[darkfreaks]

http://www.webmasterworld.com/forum88/4590.htm

[ev5unleash]

Could someone give me it in a nutshell?

[darkfreaks]

basically putting

&password=

in the address in unsafe

[ev5unleash]

I know that, I want to know how to encrypt the password in the URL in a nutshell, I would like a more basic process then dealing with a MySQL database that does not exsist

[PFMaBiSmAd]

Your form is missing a method="..." parameter, so the form fields are being sent as GET parameters (the default when no method is specified) on the end of the URL. Because the username/password is being sent with the request for the web page, they can be seen if someone is monitoring data packets (the secure part of http"s" is established as part of the handshaking when the url is requested.)

 

Add a method="post" parameter to cause the data to be sent without it appearing on the end of the url. Post method data is sent to the server after the secure connection has been established.

[ev5unleash]

Thanks PFMaBiSmAd!

 

I changed it to post but now the form is not functional all. You can't login at all even with the correct username and password.