
OpenComment security: I need Your feedback
I’ve tried to improve the security of OpenComment, and I want it to present it here, so You can give it look and have the chance to provide me feedback:
First I’ve create an Oracle with is creating highly depending oracleKeys (class OpenCommentSecurities)
Each oracleKeys create by the Oracle has the following properties:
- oracleKeys returned are always MD5 encrypted
- oracleKeys are depending of current date and time, server and user browser agent
- oracleKeys can timeout
Here is the algorithm:
$key = session_id(); if(!$key){ $key = $_SERVER[‘REMOTE_ADDR’]; } $value = $key . $GLOBALS[‘mosConfig_absolute_path’] . $_SERVER[‘HTTP_USER_AGENT’] . date("F j, Y, g a"); return md5($value); |
Security 1
All AJAX enable functions will test the oracleKey submitted by the browser, (can timeout!), so nobody should be able to make mass attack on OpenComment across multiple server All comments will be identified by a hidden field, I name them commentChallengeKeys, they have the following properties:
- commentChallengeKeys in page are always MD5 encrypted
- commentChallengeKeys have a common base with the oracle, a oracleKey for each comment
- commentChallengeKeys are made of the a Universally Unique IDentifier, version 4 (UUID), Yes Ive get rid of the id, the sql key entropy is higher and UUID should never colllide in a reasonable amount of time when You merge data across databases
Here is the algorithm:
return md5($oracleKeys.$commentUUID) ; |
Security 2
All AJAX enable functions will test the oracleKey submitted by the browser AND the commentChallengeKeys, so nobody should be able to replay the same RateUp/Down attack on multiple server.
Security 3
All parameters pass to AJAX will be sanitized on the server to avoid XSS attacks $commentTitle = mysql_real_escape_string(strip_tags($title));
Open items
- Avoiding user to Rate comments too often is still not solve…
- I will welcome any code review or help…
Nest steps…
- Migration scripts…
- Administrator panel has to be brng up to date…
- Testing, testing…
- Code reviews…
Do You see something more? comments are welcomed 😉