[Xerte] Re: Security concern
Davies, Dale
Dale.Davies at liv-coll.ac.uk
Fri Aug 12 14:10:53 BST 2011
Hi Pat,
Well md5 seems to be the traditional hash algorithm used by most,
although sha1 if you want to make it harder for an attacker using
something like rainbow tables to check for hash collisions. I gather
these would be available on most up to date PHP installations.
Perhaps it would be worth researching methods implemented by other open
source developments, Wordpress being the one I am most familiar with
employs hashing and salts.
I also found this article on NetTuts+ quite useful, which explains it
all much better than I can!
http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-k
eeping-passwords-safe/
<http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-
keeping-passwords-safe/>
Dale Davies - VLE / E-Learning Developer
Liverpool Community College, CIS Dept, Bankfield Road, Liverpool, L13
0BQ.
Web: www.liv-coll.ac.uk <http://www.liv-coll.ac.uk>
Tel: 0151 252 3238
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Pat Lockley
Sent: 12 August 2011 13:03
To: Xerte discussion list
Subject: [Xerte] Re: Security concern
The problem I had was working out (during the installer) which hash
would be supported.
http://php.net/manual/en/function.crypt.php - this has a sort of example
/ discussion of the problem.
And most people who install XOT wouldn't understand me asking for "a
salt", and then a fixed "salt" is probably bad practise? I would guess
you could make the salt out of the URL maybe? But then it's a known
algorithm attack anyways.
On Fri, Aug 12, 2011 at 12:36 PM, Davies, Dale
<Dale.Davies at liv-coll.ac.uk> wrote:
Hi Matt,
I'm no security "expert" but I have plenty of experience with this sort
of thing in the past, I guess it is something that gets drummed into you
if you're a developer.
It is good practice to hash passwords using a strong algorithm before
storing them in a database, that way if the database is ever compromised
and an attacker is able to dump the user table they will not be able to
directly read the passwords.
Probably wouldn't be that difficult to change the management.php script
to check the hash of the password entered at login against a hashed
password in the database, rather than just comparing the passwords in
plain text. I might take a look into it myself next week if I have
time.
It may be worth also considering password protecting the file itself at
the server level, so that if you try to access management.php from your
browser you will first be presented with an authentication dialogue from
the browser. Use a different password for this than you do for the
Xerte admin page. See this tutorial for using .htaccess (Apache) to do
this...
http://johnbokma.com/mexit/2007/01/09/password-protecting-single-file-ht
access.html
<http://johnbokma.com/mexit/2007/01/09/password-protecting-single-file-h
taccess.html>
This way, even if an attacker manages to dump the database to a page and
read the management password, they will still not be able to log in to
the admin section because they won't be able to get past the browsers
authentication dialogue (as this uses a different password not stored in
the database at all).
Another thing you can do to make the process of dumping database tables
a little more difficult for a would be attacker is to use a unique table
name prefix, this will make it harder for an attacker to guess the
correct table names if they find an SQL injection vulnerability
anywhere.
Let me know if this helps, or if you think I'm wrong, I have been know
to be wrong many times in the past!
Dale Davies - VLE / E-Learning Developer
Liverpool Community College, CIS Dept, Bankfield Road, Liverpool, L13
0BQ.
Web: www.liv-coll.ac.uk <http://www.liv-coll.ac.uk>
Tel: 0151 252 3238
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Matt Lingard
Sent: 11 August 2011 15:46
To: Xerte discussion list
Subject: [Xerte] Security concern
The systems manager at my institution has raised a security concern
regarding the password for the admin account for our Xerte Online
toolkit.
I'm told that the password is clear text (ie the characters are visible)
in a table in the database called 'sitedetails' (as it is the
management.php interface). He suggests that this isn't good practice.
Has anyone else had any concerns raised about this? We run other
services on the same server.
I'm not particularly technical myself, just trying to ascertain the
level of risk.
thanks,
Matt
--
Matt Lingard,
Learning Technologist
LSE
This message and any attachment are intended solely for the addressee
and may contain confidential information. If you have received this
message in error, please send it back to me, and immediately delete it.
Please do not use, copy or disclose the information contained in this
message or in any attachment. Any views or opinions expressed by the
author of this email do not necessarily reflect the views of the
University of Nottingham.
This message has been checked for viruses but the contents of an
attachment may still contain software viruses which could damage your
computer system: you are advised to perform your own checks. Email
communications with the University of Nottingham may be monitored as
permitted by UK legislation.
________________________________
Please consider the environment before printing this email.
________________________________
This email and any attachments are confidential and intended solely for
the use of the individual to whom it is addressed. Any views or opinions
presented are solely those of the author and do not necessarily
represent those of Liverpool Community College or associated companies.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The message content of in-coming emails is automatically scanned to
identify Spam and viruses otherwise Liverpool Community College does not
actively monitor content. However, sometimes it will be necessary for
Liverpool Community College to access business communications during
staff absence.
Liverpool Community College has taken steps to ensure that this email
and any attachments are virus free. However, it is the responsibility of
the recipient to ensure that it is virus free and no responsibility is
accepted by Liverpool Community College for any loss or damage arising
in any way from its use.
Error! Filename not specified.
________________________________
_______________________________________________
Xerte mailing list
Xerte at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte
This message and any attachment are intended solely for the addressee
and may contain confidential information. If you have received this
message in error, please send it back to me, and immediately delete it.
Please do not use, copy or disclose the information contained in this
message or in any attachment. Any views or opinions expressed by the
author of this email do not necessarily reflect the views of the
University of Nottingham.
This message has been checked for viruses but the contents of an
attachment
may still contain software viruses which could damage your computer
system:
you are advised to perform your own checks. Email communications with
the
University of Nottingham may be monitored as permitted by UK
legislation.
---------------------------------------------------------------------------------------
Please consider the environment before printing this email.
---------------------------------------------------------------------------------------
This email and any attachments are confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Liverpool Community College or associated companies. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient.
The message content of in-coming emails is automatically scanned to identify Spam and viruses otherwise Liverpool Community College does not actively monitor content. However, sometimes it will be necessary for Liverpool Community College to access business communications during staff absence.
Liverpool Community College has taken steps to ensure that this email and any attachments are virus free. However, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Liverpool Community College for any loss or damage arising in any way from its use.
---------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20110812/cac63a48/attachment-0001.html>
More information about the Xerte
mailing list