[Xerte] Re: Security concern

Pat Lockley patrick.lockley at googlemail.com
Fri Aug 12 14:33:52 BST 2011 

Much as anyone is welcome to change their install, unless i can make a
"works for all" I am a bit reluctant to change the core code (not that it's
up to me anymore), but I tend to do most of the support for it.

A fallback of storing text would seem ok, but most people don't pay any
attention to the installer most of the time.

On Fri, Aug 12, 2011 at 2:10 PM, Davies, Dale <Dale.Davies at liv-coll.ac.uk>wrote:

> Hi Pat,****
>
> ** **
>
> Well md5 seems to be the traditional hash algorithm used by most, although
> sha1 if you want to make it harder for an attacker using something like
> rainbow tables to check for hash collisions.  I gather these would be
> available on most up to date PHP installations.****
>
> ** **
>
> Perhaps it would be worth researching methods implemented by other open
> source developments, Wordpress being the one I am most familiar with employs
> hashing and salts.****
>
> ** **
>
> I also found this article on NetTuts+ quite useful, which explains it all
> much better than I can!****
>
> ** **
>
>
> http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/
> ****
>
> ** **
>
> ** **
>
> * *
>
> *Dale Davies - VLE / E-Learning Developer*
>
> Liverpool Community College, CIS Dept, Bankfield Road, Liverpool, L13 0BQ.
> ****
>
> *Web:* www.liv-coll.ac.uk****
>
> *Tel:* 0151 252 3238****
>
> ** **
>
> *From:* xerte-bounces at lists.nottingham.ac.uk [mailto:
> xerte-bounces at lists.nottingham.ac.uk] *On Behalf Of *Pat Lockley
> *Sent:* 12 August 2011 13:03
> *To:* Xerte discussion list
> *Subject:* [Xerte] Re: Security concern****
>
> ** **
>
> The problem I had was working out (during the installer) which hash would
> be supported. ****
>
> ** **
>
> http://php.net/manual/en/function.crypt.php - this has a sort of example /
> discussion of the problem.****
>
> ** **
>
> And most people who install XOT wouldn't understand me asking for "a salt",
> and then a fixed "salt" is probably bad practise? I would guess you could
> make the salt out of the URL maybe? But then it's a known algorithm attack
> anyways.****
>
> ** **
>
> On Fri, Aug 12, 2011 at 12:36 PM, Davies, Dale <Dale.Davies at liv-coll.ac.uk>
> wrote:****
>
> Hi Matt,****
>
>  ****
>
> I’m no security “expert” but I have plenty of experience with  this sort of
> thing in the past, I guess it is something that gets drummed into you if
> you’re a developer.****
>
>  ****
>
> It is good practice to hash passwords using a strong algorithm before
> storing them in a database, that way if the database is ever compromised and
> an attacker is able to dump the user table they will not be able to directly
> read the passwords.****
>
>  ****
>
> Probably wouldn’t be that difficult to change the management.php script to
> check the hash of the password entered at login against a hashed password in
> the database, rather than just comparing the passwords in plain text.  I
> might take a look into it myself next week if I have time.****
>
>  ****
>
> It may be worth also considering password protecting the file itself at the
> server level, so that if you try to access management.php from your browser
> you will first be presented with an authentication dialogue from the
> browser.  Use a different password for this than you do for the Xerte admin
> page.  See this tutorial for using .htaccess (Apache) to do this...
> http://johnbokma.com/mexit/2007/01/09/password-protecting-single-file-htaccess.html
> ****
>
>  ****
>
> This way, even if an attacker manages to dump the database to a page and
> read the management password, they will still not be able to log in to the
> admin section because they won’t be able to get past the browsers
> authentication dialogue (as this uses a different password not stored in the
> database at all).****
>
>  ****
>
> Another thing you can do to make the process of dumping database tables a
> little more difficult for a would be attacker is to use a unique table name
> prefix, this will make it harder for an attacker to guess the correct table
> names if they find an SQL injection vulnerability anywhere.****
>
>  ****
>
>  ****
>
> *Let me know if this helps, or if you think I’m wrong, I have been know to
> be wrong many times in the past!*****
>
> * *****
>
> *Dale Davies - VLE / E-Learning Developer*****
>
> Liverpool Community College, CIS Dept, Bankfield Road, Liverpool, L13 0BQ.
> ****
>
> *Web:* www.liv-coll.ac.uk****
>
> *Tel:* 0151 252 3238****
>
>  ****
>
> *From:* xerte-bounces at lists.nottingham.ac.uk [mailto:
> xerte-bounces at lists.nottingham.ac.uk] *On Behalf Of *Matt Lingard
> *Sent:* 11 August 2011 15:46
> *To:* Xerte discussion list
> *Subject:* [Xerte] Security concern****
>
>  ****
>
> The systems manager at my institution has raised a security concern
> regarding the password for the admin account for our Xerte Online toolkit.
>
> I'm told that the password is clear text (ie the characters are visible) in
> a table in the database called 'sitedetails' (as it is the management.php
> interface). He suggests that this isn't good practice.  Has anyone else had
> any concerns raised about this?  We run other services on the same server.
>
> I'm not particularly technical myself, just trying to ascertain the level
> of risk.
>
> thanks,
> Matt
>
> --
> Matt Lingard,
> Learning Technologist
> LSE
>
> ****
>
> This message and any attachment are intended solely for the addressee and
> may contain confidential information. If you have received this message in
> error, please send it back to me, and immediately delete it. Please do not
> use, copy or disclose the information contained in this message or in any
> attachment. Any views or opinions expressed by the author of this email do
> not necessarily reflect the views of the University of Nottingham. ****
>
> This message has been checked for viruses but the contents of an attachment
> may still contain software viruses which could damage your computer system:
> you are advised to perform your own checks. Email communications with the
> University of Nottingham may be monitored as permitted by UK legislation.
> ****
>
> ** **
> ------------------------------
>
>
> Please consider the environment before printing this email.****
> ------------------------------
>
>
> This email and any attachments are confidential and intended solely for the
> use of the individual to whom it is addressed. Any views or opinions
> presented are solely those of the author and do not necessarily represent
> those of Liverpool Community College or associated companies. You must not,
> directly or indirectly, use, disclose, distribute, print, or copy any part
> of this message if you are not the intended recipient.
>
> The message content of in-coming emails is automatically scanned to
> identify Spam and viruses otherwise Liverpool Community College does not
> actively monitor content. However, sometimes it will be necessary for
> Liverpool Community College to access business communications during staff
> absence.
>
> Liverpool Community College has taken steps to ensure that this email and
> any attachments are virus free. However, it is the responsibility of the
> recipient to ensure that it is virus free and no responsibility is accepted
> by Liverpool Community College for any loss or damage arising in any way
> from its use.
> *Error! Filename not specified.*****
>
> ------------------------------
>
> ** **
>
>
> _______________________________________________
> Xerte mailing list
> Xerte at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte
>
> This message and any attachment are intended solely for the addressee and
> may contain confidential information. If you have received this message in
> error, please send it back to me, and immediately delete it.   Please do not
> use, copy or disclose the information contained in this message or in any
> attachment.  Any views or opinions expressed by the author of this email do
> not necessarily reflect the views of the University of Nottingham.
>
> This message has been checked for viruses but the contents of an attachment
> may still contain software viruses which could damage your computer system:
> you are advised to perform your own checks. Email communications with the
> University of Nottingham may be monitored as permitted by UK legislation.
>
> ****
>
> ** **
>
> ------------------------------
>
> Please consider the environment before printing this email.
> ------------------------------
>
> This email and any attachments are confidential and intended solely for the
> use of the individual to whom it is addressed. Any views or opinions
> presented are solely those of the author and do not necessarily represent
> those of Liverpool Community College or associated companies. You must not,
> directly or indirectly, use, disclose, distribute, print, or copy any part
> of this message if you are not the intended recipient.
>
> The message content of in-coming emails is automatically scanned to
> identify Spam and viruses otherwise Liverpool Community College does not
> actively monitor content. However, sometimes it will be necessary for
> Liverpool Community College to access business communications during staff
> absence.
>
> Liverpool Community College has taken steps to ensure that this email and
> any attachments are virus free. However, it is the responsibility of the
> recipient to ensure that it is virus free and no responsibility is accepted
> by Liverpool Community College for any loss or damage arising in any way
> from its use.
>
> ------------------------------
>
>
>
> _______________________________________________
> Xerte mailing list
> Xerte at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte
>
> This message and any attachment are intended solely for the addressee and
> may contain confidential information. If you have received this message in
> error, please send it back to me, and immediately delete it.   Please do not
> use, copy or disclose the information contained in this message or in any
> attachment.  Any views or opinions expressed by the author of this email do
> not necessarily reflect the views of the University of Nottingham.
>
> This message has been checked for viruses but the contents of an attachment
> may still contain software viruses which could damage your computer system:
> you are advised to perform your own checks. Email communications with the
> University of Nottingham may be monitored as permitted by UK legislation.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20110812/0dd5adcb/attachment-0001.html>

More information about the Xerte mailing list