Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security hardening of the AUTOREGISTER option #111

Open
PBoissier opened this issue Jun 28, 2022 · 2 comments
Open

Security hardening of the AUTOREGISTER option #111

PBoissier opened this issue Jun 28, 2022 · 2 comments
Assignees
@PBoissier
Labels
enhancement

Comments

@PBoissier
Copy link
Member

The SQL_DB_USERS_AUTOREGISTER variable of WEBOBS.rc allows the automatic creation of WebObs user accounts when a person completes the register.pl form.

When the value of this variable is "Y" the SQLite user database is filled but leaves the "valid" field at "N". The newly created user is therefore not activated. Activation must be done by an administrator.
This variable will also trigger the filling of Apache's htpasswd file. This file contains the user's login and encrypted password.

As a result, the user who has just completed the registration form can immediately authenticate on the Apache server.
This does not allow him to display the WebObs pages because the latter detects the invalidity of the account. Nevertheless the user has access to all the resources of the virtualhost concerned by the htpasswd. This can lead to code injection attempts via the CGI interface (https://www.cgisecurity.com/lib/sips.html) or denial of service attacks.
@PBoissier PBoissier self-assigned this Jun 28, 2022
@PBoissier
Copy link
Member Author

PBoissier commented Jun 28, 2022
edited
Loading

I propose that when validating the register.pl form, the htpasswd file is still filled in but that the new entry is commented out.
It will also be necessary to modify the "WebObs User Manager" page so that the htpasswd file is modified according to the validation or not of a user.
We can also imagine a task in the scheduler which will completely deactivate users whose validity date has passed (in the database and in the htpasswd)

Perl code for commenting / uncommenting htpasswd could be :

use strict;
use warnings;

my $file = shift;
my $login = shift;
my $valid = shift;
open FILE, $file or die "Can't read from $file!\n";

my @lines;
while (my $line = <FILE>) {
	if ($line =~ /^$login/ && $valid eq 'N') {
		$line =~ s/^$login/#$login/ig;
	}
	if ($line =~ /^#$login/ && $valid eq 'Y') {
		$line =~ s/^#$login/$login/ig;
	}
	push @lines, $line;
}
close FILE;

open FILE, '>', $file or die "Can't write to $file!\n";
print FILE @lines;
close FILE;

@beaudu
Copy link
Member

beaudu commented Jun 28, 2022

I suggest to add a colon : at the end of login name to prevent matching similar logins:
if ($line =~ /^$login:/ && $valid eq 'N') {
and
if ($line =~ /^#$login:/ && $valid eq 'Y') {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PBoissier PBoissier

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PBoissier @beaudu