Page Index Toggle Pages: 1 [2] 
Topic Tools
 25 [Critical]CAPTCHA, reset password/maintenance mode (Read 13,729 times)
Captain John
Ex Member


Re: CAPTCHA, reset password, maintenance mode
Reply #11 - Dec 14th, 2009 at 6:37pm
Post Tools
JonB wrote on Dec 14th, 2009 at 4:33pm:
it cobbles together an email that contains the message text plus a link using the stored hash of the PW and either the encrypted or cleartext username


  jon .. then it does open and close files, AND writes a file (email) .... possibly during a Maintenance Function.

JonB wrote on Dec 14th, 2009 at 4:33pm:
Soooo - it (the reset email) poses no risk whatever.


   Willing to allow me, to use Password Reset, while you run Maintenance Functions in a large Live Forum, with the fix above to allow me to do just that ?
   mmmmm the "possibilities" of the unknown.

  Wasn't the purpose of Maintenance Mode to "lock" the forum while the Admin performed Maintenance ?  Maintenance Mode is "usually" only in effect for a short time, while the functions are performed .... is it unreasonable to require a member to wait before being able to do anything while in effect ?
« Last Edit: Dec 14th, 2009 at 7:23pm by »  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: CAPTCHA, reset password, maintenance mode
Reply #10 - Dec 14th, 2009 at 4:33pm
Post Tools
Actually - the password reset doesn't change files - it cobbles together an email that contains the message text plus a link using the stored hash of the PW and either the encrypted or cleartext username depending on the forum's settings.

Soooo - it (the reset email) poses no risk whatever. The reset occurs when the user clicks on the link.

And I think that would be blocked (I am testing)

Edited:
Confirmed - no problems

Wink
« Last Edit: Dec 14th, 2009 at 5:19pm by JonB »  

reset_no_problem.jpg (Attachment deleted)

I find your lack of faith disturbing.
Back to top
IP Logged
 
Captain John
Ex Member


Re: CAPTCHA, reset password, maintenance mode
Reply #9 - Dec 14th, 2009 at 3:21pm
Post Tools
Jens Brix Christiansen wrote on Dec 13th, 2009 at 6:13pm:
Captain John wrote on Yesterday at 11:33am:
True ... but the Admin Logging in does not alter files, such as a password change would require.

I don't see that much of a difference here. When <user> (who is an admin) logs in to a forum in maintenance mode, the following files are rewritten:

* Members/<user>.vars
* Members/<user>.ims
* Members/<user>.msg
* Variables/clicklog.txt
* Variables/log.txt


Glad you were able to provide a fix ....

  But I still have a reservation on allowing a Password Reset while in Maintenance Mode.
   As you clearly pointed out the files altered when an Admin logs in, even when in Maintenance Mode, these are accomplished (completed) before the Admin would enter the Admin Center to for example, run Maintenance Functions.  While a user clicking on Password Reset can and could actually do it during the operation.
   Is that good ??
« Last Edit: Dec 14th, 2009 at 3:22pm by »  
Back to top
 
IP Logged
 
deti
Legacy Dev Team
Development Team
****
Offline



Posts: 2,650
Location: Prien am Chiemsee, Germany
Re: CAPTCHA, reset password, maintenance mode
Reply #8 - Dec 13th, 2009 at 9:36pm
Post Tools
JonB wrote on Dec 12th, 2009 at 4:39pm:
at least in English - I would say 'password reset'.

Good idea.


Jens Brix Christiansen wrote on Dec 13th, 2009 at 1:41pm:
If my analysis is right, the line three lines above the highlighted line can simply be replaced with the highlighted line.

I think your analysis is right! Thanks!!!
  

Was immer Du tun kannst
oder erträumst tun zu können,
beginne es.
Kühnheit besitzt Genie,
Macht und magische Kraft.
Beginne es jetzt.
Whatever you can do
or dream you can,
begin it.
Boldness has genius,
power and magic in it.
Begin it now.
J. W. Goethe
Back to top
WWW  
IP Logged
 
Jens Brix Christiansen
YaBB Newcomer
*
Offline



Posts: 26
Location: Frederiksberg, Denmark
Re: CAPTCHA, reset password, maintenance mode
Reply #7 - Dec 13th, 2009 at 6:13pm
Post Tools
Quote:
  True ... but the Admin Logging in does not alter files, such as a password change would require.

I don't see that much of a difference here. When <user> (who is an admin) logs in to a forum in maintenance mode, the following files are rewritten:
  • Members/<user>.vars
  • Members/<user>.ims
  • Members/<user>.msg
  • Variables/clicklog.txt
  • Variables/log.txt

When <user> requests a password reset, Variables/log.txt and Members/forgotten.passes are affected. When <user> later does change their password (while the forum is still in maintenance mode), the files affected are pretty much all of the above.

If the administrator was doing something advanced, like making making systematic changes to the vars files behind the system's back, this does imply a risk, but surely the risk is negligible when only one admin is involved, and manageable even if more than one admin is involved.
« Last Edit: Dec 13th, 2009 at 6:17pm by Jens Brix Christiansen »  
Back to top
 
IP Logged
 
Captain John
Ex Member


Re: CAPTCHA, reset password, maintenance mode
Reply #6 - Dec 13th, 2009 at 4:33pm
Post Tools
JonB wrote on Dec 12th, 2009 at 11:22pm:
(passwords should not be reset during maintenance)- although all Admins can still login.


  True ... but the Admin Logging in does not alter files, such as a password change would require.
  
Back to top
 
IP Logged
 
Jens Brix Christiansen
YaBB Newcomer
*
Offline



Posts: 26
Location: Frederiksberg, Denmark
Re: CAPTCHA, reset password, maintenance mode
Reply #5 - Dec 13th, 2009 at 1:41pm
Post Tools
deti wrote on Dec 12th, 2009 at 4:13pm:
If  you have a code solution an a better term for Password reminder they are welcome!


The problem as stated can be fixed by adding a line in YaBB.pl:

Code
Select All
	if ($maintenance) {
		if    ($action eq 'login2')    { require "$sourcedir/LogInOut.pl"; &Login2; }
		# Allow password reminders in case admins forgets their admin password
		elsif ($action eq 'reminder')  { require "$sourcedir/LogInOut.pl"; &Reminder; }
		elsif ($action eq 'validate')  { require "$sourcedir/Decoder.pl"; &convert; }
		elsif ($action eq 'reminder2') { require "$sourcedir/LogInOut.pl"; &Reminder2; }
		elsif ($action eq 'resetpass') { require "$sourcedir/LogInOut.pl"; &Reminder3; }
		elsif ($action eq $randaction) { require "$sourcedir/Decoder.pl"; &convert; }

		if (!$iamadmin) { require "$sourcedir/LogInOut.pl"; &InMaintenance; }
	}
 



It looks as if someone at some point in the development decided to improve on the action validate by replacing it with $randaction (which is a rough time stamp), no doubt seeking to prevent an attacker from passing the CAPTCHA by reusing some old validation code. If so, they may have forgotten to replace 'validate' with $randaction in the code that handles actions in maintenance mode. If my analysis is right, the line three lines above the highlighted line can simply be replaced with the highlighted line.
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: CAPTCHA, reset password, maintenance mode
Reply #4 - Dec 12th, 2009 at 11:22pm
Post Tools
Captain John:

I thought that as well at first (passwords should not be reset during maintenance)  - although all Admins can still login.

LOL - I have a different bone to pick later on this one...  But its NOT the same issue...

Wink

  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Captain John
Ex Member


Re: CAPTCHA, reset password, maintenance mode
Reply #3 - Dec 12th, 2009 at 5:49pm
Post Tools
Jens Brix Christiansen wrote on Dec 11th, 2009 at 8:39pm:
* The forum is in maintenance mode
* A user hits Forgot password?


The screen presented to the user is the normal Password reminder screen, but the CAPTCHA image is not shown - but the corresponding input is, of course, required.


mmm looks like the real problem is the Forgot Password shouldn't be active in "Maintenance Mode".  The Captcha does display when NOT in Maintenance Mode, as it should ..
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,768
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: CAPTCHA, reset password, maintenance mode
Reply #2 - Dec 12th, 2009 at 4:39pm
Post Tools
at least in English - I would say 'password reset'.

Smiley
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
deti
Legacy Dev Team
Development Team
****
Offline



Posts: 2,650
Location: Prien am Chiemsee, Germany
Re: CAPTCHA, reset password, maintenance mode
Reply #1 - Dec 12th, 2009 at 4:13pm
Post Tools
If  you have a code solution an a better term for Password reminder they are welcome!
  

Was immer Du tun kannst
oder erträumst tun zu können,
beginne es.
Kühnheit besitzt Genie,
Macht und magische Kraft.
Beginne es jetzt.
Whatever you can do
or dream you can,
begin it.
Boldness has genius,
power and magic in it.
Begin it now.
J. W. Goethe
Back to top
WWW  
IP Logged
 
Jens Brix Christiansen
YaBB Newcomer
*
Offline



Posts: 26
Location: Frederiksberg, Denmark
[Critical]CAPTCHA, reset password/maintenance mode
Dec 11th, 2009 at 8:39pm
Post Tools
Here is the scenario:
  • YaBB 2.4
  • CAPTCHA is turned on (Activate validation code... is checked)
  • The forum is in maintenance mode
  • A user hits Forgot password?

The screen presented to the user is the normal Password reminder screen, but the CAPTCHA image is not shown - but the corresponding input is, of course, required.

Once the forum is taken out of maintenance mode, the problem goes away.

(By the way, Password reminder is not the most appropriate name, since no reminder is sent -- instead the user gets a special tunnel to enter a new password in his profile.)
« Last Edit: Mar 25th, 2010 at 2:18am by »  
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1 [2] 
Topic Tools
 
  « Board Index ‹ Board  ^Top