Support

submit a bug report if you need technical support or have questions.

Documentation

Visit the Wiki extensive and up to date documentation at your fingertips.

Contact Me

Missing images/links, any comments, suggestions, need help? Contact me

Joomla extensions have moved!

Galaxiis (formely www.waltercedric.com) creates industry leading premium Joomla Extensions and is the longest running Joomla extensions provider since 2005.

Powerful Joomla extensions. - Excellent documentation. - Amazing support.

Visit now www.galaxiis.com

I've tried to improve the security of OpenComment, and I want it to present it here, so You can give it  look and have the chance to provide me feedback:

First I've create an Oracle with is creating highly depending oracleKeys (class OpenCommentSecurities)

Each oracleKeys  create by the Oracle has the following properties:
  • oracleKeys  returned are always MD5 encrypted
  • oracleKeys  are depending of current date and time, server and user browser agent
  • oracleKeys  can timeout
Here is the algorithm:
$key = session_id();
if(!$key){
     $key = $_SERVER['REMOTE_ADDR'];
 }
$value = $key .
   $GLOBALS['mosConfig_absolute_path'] .
   $_SERVER['HTTP_USER_AGENT'] .
    date("F j, Y, g a");
 return md5($value);

Security 1
All AJAX enable functions will test the oracleKey submitted by the browser, (can timeout!), so nobody should be able to make mass attack on OpenComment across multiple server  All comments will be identified by a hidden field, I name them commentChallengeKeys, they have the following properties:
  • commentChallengeKeys in page are always MD5 encrypted
  • commentChallengeKeys have a common base with the oracle, a oracleKey for each comment
  • commentChallengeKeys are made of the a Universally Unique IDentifier, version 4 (UUID), Yes Ive get rid of the id, the sql key entropy is higher and UUID should never colllide in a reasonable amount of time when You merge data across databases
Here is the algorithm:
return md5($oracleKeys.$commentUUID) ;

Security 2
All AJAX enable functions will test the oracleKey submitted by the browser AND the commentChallengeKeys, so nobody should be able to replay the same RateUp/Down attack on multiple server.

Security 3
All parameters pass to AJAX will be sanitized on the server to avoid XSS attacks   $commentTitle = mysql_real_escape_string(strip_tags($title));

Open items
  • Avoiding user to Rate comments too often is still not solve...
  • I will welcome any code review or help...
Nest steps...
  • Migration scripts...
  • Administrator panel has to be brng up to date...
  • Testing, testing...
  • Code reviews...
Do You see something more? comments are welcomed ;-)
 
comments powered by Disqus

You might like also

OpenComment is discontinued, efforts focus on !JoomlaComment
  I've decide to join the team of !JoomlaComment and help Alain and Daniel continuing the development. Right now I will try to reduce the spamming attacks I've encountered in the last few days (250 comments entered by a bot) First step is to review the code in order to avoid replaying attacks by request forgery (saving an attack vector with a specially hand crafted URL), After that I will join my effort to Alain and Daniel and try to …
3962 Days ago
No Thumbnail was found
OpenComment is not DEAD I will be reading some sources My forum forums.waltercedric.com Joomla! Extensions OpenComment reviews Joomla! forums during the week seeking for bugs and new functionalities you are requesting. So this is your chance! Keep cool, and be descriptive ;-) …
4214 Days ago
OpenComment recommended upgrade
XAJAX team has release a new version of its library for PHP and ajax: XAJAX 0.2.5xajax 0.2.5 has been created as a bridging step to xajax v0.5. xajax 0.2.5 aims to be forwards and backwards-compatible with xajax versions, while at the same time providing important security updates that have been lingering around in the xajax codebase for a whileIt's been just over one year since we released our last version of xajax and it was about time we released another …
4289 Days ago
Welcome to the install of opencomment 3.0.30 BETA
opencomment 3.0.30 NEW: you can disable the paging algorithm... so users do not have to click many times to go through all commentsNEW: admin can unpublish comment in frontEndNEW: more security check for admin AJAX functionsBUG: language not correct in frontend, fallback to english. was only if register globals offBUG: newest comment first fix ... submitted by FannoBUG: bbcode support fix ? submitted by FannoBUG: small admin fix submitted by FannoBUG: IMPORTANT FIX do not allow visitor to delete comment …
4328 Days ago
OpenComment 3.0.22 to be release soon
It will be a huge patch release this time. Let me first start with the new features list...NEW: Search contains the word "search" now as default.NEW: Following rules apply now to the form field "Name":If a user is logged in, he can not change his nameIf a guest is around, he can change his name only if the admin settings "name field: No Yes Is the field name read only?" is set to NONEW: Avoid logged in user to rate …
4529 Days ago
No Thumbnail was found
3.0.21NEW: Hungarian translationsBUG: Small bug during settings save, the key opencomment_cleanupPostingUsersHistoryfromDatabaseAfter was set to blankNEW: new admin menu entry: View last posting, it show the content of table which contains last comments entries, OpenComment use it internally for avoiding users to post more than one in the allowed interval You have set.BUG: (regression) Admin menu entry: akocomment migration was no more workingBUG: on some Joomla! install including mine ;-) wenn a mambot for replacing BBCODE (mos_smilies) were active, the javascript …
4535 Days ago
No Thumbnail was found
The code is getting better at each release...but may have encounter some regressions. So Your feedback is welcomedNEW: use the project xajax-joomla.org which let you run multiple XAJAX modules or components (1)BUG: encoding problem should be defacto solve as XAJAX now use Joomla encoding NEW: Version able to run on hardened PHP server: Register globall OFF (php.ini) + SAFE_MODE On (php.ini) + RG_EMULATION = 0 (Joomla globals.php). Should solve different issues like "You are trying to hack me"BUG: User homepage …
4536 Days ago
No Thumbnail was found
The list of corrections...NEW: full german translation courtesy of Joern Gerken successwiki.comBUG: can not update value of opencomment_cleanupPostingUsersHistoryfromDatabaseAfter (default was 10 minute)BUG: \r\n and/or \n (Newline) were not translated into <br />BUG: The openComment menu shows an entry called "editOpencommentCSS", which does the same as "Edit newpost feedback template".OPEN: Warning: mysql_errno(): supplied argument is not a valid MySQL-Link resourceI can not reproduce it on XAMPP 1.5.4a ( Apache 2.2.3 - MySQL 5.0.24a - PHP 5.1.6 & PHP 4.4.4 ) with …
4547 Days ago
No Thumbnail was found
A minor release because a lot of thing need to be done behind the scene....NEW: AJAX Encoding can be freely defined by user. This is a temporary solution, ideally it must be read from Joomla Language file.BUG: the "write comment only visible for first article" is solved.BUG: fully translated Administrator panel and localized in English.php. File now contains 370 keysSoon:PENDING prio1: Ajax problem still persist that it did not work with Jim IM and whosonlineext modules. it will be soon …
4549 Days ago
No Thumbnail was found
The component OpenComment is under heavy testing, a big thanks to all users posting bugs report in the Bug tracker ForumsNEW: Search function in query control panelBUG: Found latest error in installer fileBUG: No more <? starting tag but <?php was revealed by users using PHP5 and Magic_Quote = OFF in PHP.iniBUG: Solve small bugs in administrator panel.NEW: A new settings: Users Posting History, how long a user can not submit a new comment in the same article This do …
4549 Days ago