OpenComment security: I need Your feedback

Details
Parent Category: Extensions
Category: com_opencomment
Hits: 10113

Joomla extensions have moved!

Galaxiis (formely www.waltercedric.com) creates industry leading premium Joomla Extensions and is the longest running Joomla extensions provider since 2005.

Powerful Joomla extensions. - Excellent documentation. - Amazing support.

Visit now www.galaxiis.com

I've tried to improve the security of OpenComment, and I want it to present it here, so You can give it  look and have the chance to provide me feedback:

First I've create an Oracle with is creating highly depending oracleKeys (class OpenCommentSecurities)

Each oracleKeys  create by the Oracle has the following properties:
  • oracleKeys  returned are always MD5 encrypted
  • oracleKeys  are depending of current date and time, server and user browser agent
  • oracleKeys  can timeout
Here is the algorithm:
$key = session_id();
if(!$key){
     $key = $_SERVER['REMOTE_ADDR'];
 }
$value = $key .
   $GLOBALS['mosConfig_absolute_path'] .
   $_SERVER['HTTP_USER_AGENT'] .
    date("F j, Y, g a");
 return md5($value);

Security 1
All AJAX enable functions will test the oracleKey submitted by the browser, (can timeout!), so nobody should be able to make mass attack on OpenComment across multiple server  All comments will be identified by a hidden field, I name them commentChallengeKeys, they have the following properties:
  • commentChallengeKeys in page are always MD5 encrypted
  • commentChallengeKeys have a common base with the oracle, a oracleKey for each comment
  • commentChallengeKeys are made of the a Universally Unique IDentifier, version 4 (UUID), Yes Ive get rid of the id, the sql key entropy is higher and UUID should never colllide in a reasonable amount of time when You merge data across databases
Here is the algorithm:
return md5($oracleKeys.$commentUUID) ;

Security 2
All AJAX enable functions will test the oracleKey submitted by the browser AND the commentChallengeKeys, so nobody should be able to replay the same RateUp/Down attack on multiple server.

Security 3
All parameters pass to AJAX will be sanitized on the server to avoid XSS attacks   $commentTitle = mysql_real_escape_string(strip_tags($title));

Open items
  • Avoiding user to Rate comments too often is still not solve...
  • I will welcome any code review or help...
Nest steps...
  • Migration scripts...
  • Administrator panel has to be brng up to date...
  • Testing, testing...
  • Code reviews...
Do You see something more? comments are welcomed ;-)