Main Menu

Recommended sites

Add to MyYahoo!
Subscribe in NewsGator Online
Add to Newsburst
Add to Google
Add to My AOL
Add to Pluck
Subscribe in FeedLounge
Add to Windows Live
Add to NetVibes
Subscribe in Rojo
Subscribe in Bloglines
Add to MyMSN
Add to Plusmo for your cellphone
Add to PageFlakes
Add to Technorati
Add to BlinkBits
OpenComment security: I need Your feedback Print E-mail
User Rating: / 0
PoorBest 
Thursday, 15 June 2006 20:49
I've tried to improve the security of OpenComment, and I want it to present it here, so You can give it  look and have the chance to provide me feedback:

First I've create an Oracle with is creating highly depending oracleKeys (class OpenCommentSecurities)

Each oracleKeys  create by the Oracle has the following properties:
  • oracleKeys  returned are always MD5 encrypted
  • oracleKeys  are depending of current date and time, server and user browser agent
  • oracleKeys  can timeout
Here is the algorithm:
$key = session_id();
if(!$key){
     $key = $_SERVER['REMOTE_ADDR'];
 }
$value = $key .
   $GLOBALS['mosConfig_absolute_path'] .
   $_SERVER['HTTP_USER_AGENT'] .
    date("F j, Y, g a");
 return md5($value);

Security 1
All AJAX enable functions will test the oracleKey submitted by the browser, (can timeout!), so nobody should be able to make mass attack on OpenComment across multiple server  All comments will be identified by a hidden field, I name them commentChallengeKeys, they have the following properties:
  • commentChallengeKeys in page are always MD5 encrypted
  • commentChallengeKeys have a common base with the oracle, a oracleKey for each comment
  • commentChallengeKeys are made of the a Universally Unique IDentifier, version 4 (UUID), Yes Ive get rid of the id, the sql key entropy is higher and UUID should never colllide in a reasonable amount of time when You merge data across databases
Here is the algorithm:
return md5($oracleKeys.$commentUUID) ;

Security 2
All AJAX enable functions will test the oracleKey submitted by the browser AND the commentChallengeKeys, so nobody should be able to replay the same RateUp/Down attack on multiple server.

Security 3
All parameters pass to AJAX will be sanitized on the server to avoid XSS attacks   $commentTitle = mysql_real_escape_string(strip_tags($title));

Open items
  • Avoiding user to Rate comments too often is still not solve...
  • I will welcome any code review or help...
Nest steps...
  • Migration scripts...
  • Administrator panel has to be brng up to date...
  • Testing, testing...
  • Code reviews...
Do You see something more? comments are welcomed ;-)
 

Tags See All Tags Add New Tag...

Please Enter New Tags Separated By Comma's
  Or Close


Powered By Joomla Tags

Comments
Add New Search RSS
using cookies now
Cédric Walter (84.73.239.xxx) 2006-06-17 22:46:13
I've add session cookie support, and their content will be encypted with a RSA
1024 key -> I am currently fighting on installation of PHP PEAR and its crypto
library...

A new project "OpenComment" has been submitted and
accepted at joomla forge
Reply | Quote
0 0
Write comment
Name:
Email:
 
Title:
UBBCode:
[b] [i] [u] [url] [quote] [code] [img] 
 
:):grin;)8):p:roll:eek:upset:zzz:sigh:?:cry
:(:x
Please input the anti-spam code that you can read in the image.

3.20 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
 

Another articles:


Content View Hits : 2926690

Enter Amount:

demo.waltercedric.com.jpg
demo2.waltercedric.com.jpg
forums.waltercedric.com.jpg
bugs.waltercedric.com.jpg
gallery.waltercedric.com.jpg
wiki.waltercedric.com.jpg