If you're not on the dev list, pull an update/log from the svn for this
weekend's hacks.
# from Ben Bleything
# on Saturday 18 February 2006 10:08 am:
>Shouldn't be hard,
Except for the 15+ ways that this makes it possible to crack someone
else's account. Yeah, I'm super-paranoid, but it never hurts to get
some practice thinking about security, so here goes...
Without something like openid on the site, you're pretty much a sitting
duck to anyone that knows your e-mail address and has some way to catch
the plaintext e-mail between the server and your inbox and then get to
the reset form before you. Thus:
a. pgp encrypt the e-mail if the app knew your public key
or
b. just hope someone with mad skillz doesn't have it in for pdx.rb
I like (a) as the next step.
The current implementation just uses rand() to come up with a 20char
password, which it hashes and sticks in the password_reset field. This
field gets cleared when you login, so there's some protection against
"someone doing something dirty" there. Supposedly, it's possible to
predict what rand() would spit-out (by knowing the current time or
something -- I'm not that crypto), so it would be a better step to get
numbers from /dev/urandom, though someone else might be able to
enlighten me as to whether or not that's worth the extra hacking in
light of the above hole (b). In the presence of (a), this seems to be
the only remaining hole.
I've also tried to catch all of the possible fishing scenarios, such as
bots feeding member.id = 0..1000 to the reset page and forcing everyone
to go cancel the reset (you have to at least guess the e-mail.) Maybe
there should be some kind of limit/timeout here to prevent DOS-style
attacks. A scrambled-picture-of-numbers "are you a human" test might
also be nice (not only here, but on the registration page as well.) In
short, if someone has it in for you, I think the most they'll be able
to achieve at present is to severely annoy you with this new
functionality. But don't take my word for it, write some tests, put
your cat on the keyboard, etc.
>someone just needs to do it.
Now someone just needs to test it. I would certainly like to see a few
automated tests around this, but haven't dug in to writing them yet.
As for when we go live with this, that's up to the roots. Maybe we can
have this on the dev. site soon?
--Eric
--
"Ignorance more frequently begets confidence than does knowledge."
-- Charles Darwin
---------------------------------------------------
http://scratchcomputing.com
---------------------------------------------------
_______________________________________________
PDXRuby mailing list
[email protected]
IRC: #pdx.rb on irc.freenode.net
http://lists.pdxruby.org/mailman/listinfo/pdxruby
