Wiki source for ActionsWithCheckSum
>>**See Also**
~- Mod018fIFrameAction
~- SecurityInfo
**Proof of Concept Code**
~- Don't use this code in production yet.
>>===== Adding a checksum to limit usage =====
//Discussion: Not only use authentication as security.//
=== Short ===
~- Add a password/checksum (md5) to an action/function/...
~- Control **where** (page/server/...) an action/function/... can be used.
=== Background ===
~- Because every action is executed the moment we request the page, the credentials of the user requesting the page are being used to build the page (and not the user writing the page). This way of working is limiting some actions (e.g. only to the admin user) as it is to dangerous to let everyone play with it. What if we could provide something that fully works "as is" but doesn't work anymore the moment someone changes it.
~- A nice example is the iframe action. By default is disabled (put in the not accessible "/intranet" directory). It's not that iframe is a dangerous html tag but rather the risk of someone else using it for a use that we wouldn't like and couldn't control...
~- Wait a moment. What if we could control it? ... (Thank you GPL ;-)
=== Two stages ===
~- First stage: Lock down.
~~- Do I have access to this action?
~~- Generate a checksum from a small (extra/new) script with the input of a simple web form.
~~- Output: Show the right code to the user.
~- Second stage: (try to) Unlock
~~- Check the checksum. Same as before, just with one extra param: 'md5'.
~~- If successful, show the content
=== Proof of Concept ===
~ 1. Lock down (save as ##actions/geniframe.php##)
%%(php)<?php
print $this->FormOpen("", "", "POST");
print 'page:<input name="page" type="input" value="'.$this->tag.'"><br />';
print 'url:<input name="url" type="input" value="'. stripslashes(htmlentities($_REQUEST["url"])) .'"><br />';
print '<input name="submit" type="submit" value="Submit" accesskey="s">';
print $this->FormClose();
$rnd = "AStupid$tri\ngToMake!tHarde\rFor BruteForceH4cke\rs";
if (isset($_REQUEST["url"]) && $_REQUEST["url"]<>'' && $this->isAdmin())
{
$url = stripslashes($_REQUEST["url"]);
$page = $this->ExistsPage(stripslashes($_REQUEST["page"])) ? stripslashes($_REQUEST["page"]) : $this->tag ;
print "<br />OLD: {{iframe url=\"$url\" height=\"480\" width=\"640\"}}<br />\n\n";
//Generate CheckSum...
$md5 = md5( 'iFrame'. //prevent reusing the md5 for another action
$this->config["mysql_password"]. //Something you would never give away
$page. //prevent usage on another page
$rnd. //prevent usage on another server (=other rnd!)
$url ); //prevent changes in the url
print "<br />NEW: {{iframe url=\"$url\" height=\"480\" width=\"640\" md5=\"$md5\"}}<br />\n\n";
}
?>%%
~ 2. Unlock (save as ##actions/iframe.php##)
%%(php)<?php
$rnd = "AStupid$tri\ngToMake!tHarde\rFor BruteForceH4cke\rs";
$width = $this->htmlspecialchars_ent(trim($vars['width']));
$height = $this->htmlspecialchars_ent(trim($vars['height']));
$url = $this->cleanUrl(trim($vars['url']));
$md5 = md5('iFrame'. $this->config["mysql_password"] . $this->tag . $rnd . $url);
print "<!-- $md5 - ".$vars['md5']." -->"; //DEBUG remove when in production
if( $md5 == $vars['md5'] )
{
echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
}
else
{
print "ERROR...";
}
?>%%
=== The change ===
~- This is the output of the first script, generating the correct code for you
~~ OLD: ""{{iframe url="http://www.google.com/" height="480" width="640"}}""
~~ NEW: ""{{iframe url="http://www.google.com/" height="480" width="640" md5="7f30d953687f82ecb15f64d0606f7d3e"}}""
~~~ So this action can only be included on my intranet server, on the "SandBox" page AND with "http://www.google.com/" as url...
~- Not that much get changed: one param more in the action. Even the new iframe action isn't that different from the old one (one extra check)
=== Note ===
~- Width and height aren't for the moment in the md5sum. This allows a user to have some level of flexibility...
~- The md5 generator code would become one central function in production.
~- Idea: $rnd generated by the setup script? Saved in $config['rnd'] ?
-- OnegWR
----
=== Remarks ===
//Please feel free to contribute!//
~- How easy would it be to guess my mysql_password? -- OnegWR
~- ...
----
CategoryDevelopmentSecurity
~- Mod018fIFrameAction
~- SecurityInfo
**Proof of Concept Code**
~- Don't use this code in production yet.
>>===== Adding a checksum to limit usage =====
//Discussion: Not only use authentication as security.//
=== Short ===
~- Add a password/checksum (md5) to an action/function/...
~- Control **where** (page/server/...) an action/function/... can be used.
=== Background ===
~- Because every action is executed the moment we request the page, the credentials of the user requesting the page are being used to build the page (and not the user writing the page). This way of working is limiting some actions (e.g. only to the admin user) as it is to dangerous to let everyone play with it. What if we could provide something that fully works "as is" but doesn't work anymore the moment someone changes it.
~- A nice example is the iframe action. By default is disabled (put in the not accessible "/intranet" directory). It's not that iframe is a dangerous html tag but rather the risk of someone else using it for a use that we wouldn't like and couldn't control...
~- Wait a moment. What if we could control it? ... (Thank you GPL ;-)
=== Two stages ===
~- First stage: Lock down.
~~- Do I have access to this action?
~~- Generate a checksum from a small (extra/new) script with the input of a simple web form.
~~- Output: Show the right code to the user.
~- Second stage: (try to) Unlock
~~- Check the checksum. Same as before, just with one extra param: 'md5'.
~~- If successful, show the content
=== Proof of Concept ===
~ 1. Lock down (save as ##actions/geniframe.php##)
%%(php)<?php
print $this->FormOpen("", "", "POST");
print 'page:<input name="page" type="input" value="'.$this->tag.'"><br />';
print 'url:<input name="url" type="input" value="'. stripslashes(htmlentities($_REQUEST["url"])) .'"><br />';
print '<input name="submit" type="submit" value="Submit" accesskey="s">';
print $this->FormClose();
$rnd = "AStupid$tri\ngToMake!tHarde\rFor BruteForceH4cke\rs";
if (isset($_REQUEST["url"]) && $_REQUEST["url"]<>'' && $this->isAdmin())
{
$url = stripslashes($_REQUEST["url"]);
$page = $this->ExistsPage(stripslashes($_REQUEST["page"])) ? stripslashes($_REQUEST["page"]) : $this->tag ;
print "<br />OLD: {{iframe url=\"$url\" height=\"480\" width=\"640\"}}<br />\n\n";
//Generate CheckSum...
$md5 = md5( 'iFrame'. //prevent reusing the md5 for another action
$this->config["mysql_password"]. //Something you would never give away
$page. //prevent usage on another page
$rnd. //prevent usage on another server (=other rnd!)
$url ); //prevent changes in the url
print "<br />NEW: {{iframe url=\"$url\" height=\"480\" width=\"640\" md5=\"$md5\"}}<br />\n\n";
}
?>%%
~ 2. Unlock (save as ##actions/iframe.php##)
%%(php)<?php
$rnd = "AStupid$tri\ngToMake!tHarde\rFor BruteForceH4cke\rs";
$width = $this->htmlspecialchars_ent(trim($vars['width']));
$height = $this->htmlspecialchars_ent(trim($vars['height']));
$url = $this->cleanUrl(trim($vars['url']));
$md5 = md5('iFrame'. $this->config["mysql_password"] . $this->tag . $rnd . $url);
print "<!-- $md5 - ".$vars['md5']." -->"; //DEBUG remove when in production
if( $md5 == $vars['md5'] )
{
echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
}
else
{
print "ERROR...";
}
?>%%
=== The change ===
~- This is the output of the first script, generating the correct code for you
~~ OLD: ""{{iframe url="http://www.google.com/" height="480" width="640"}}""
~~ NEW: ""{{iframe url="http://www.google.com/" height="480" width="640" md5="7f30d953687f82ecb15f64d0606f7d3e"}}""
~~~ So this action can only be included on my intranet server, on the "SandBox" page AND with "http://www.google.com/" as url...
~- Not that much get changed: one param more in the action. Even the new iframe action isn't that different from the old one (one extra check)
=== Note ===
~- Width and height aren't for the moment in the md5sum. This allows a user to have some level of flexibility...
~- The md5 generator code would become one central function in production.
~- Idea: $rnd generated by the setup script? Saved in $config['rnd'] ?
-- OnegWR
----
=== Remarks ===
//Please feel free to contribute!//
~- How easy would it be to guess my mysql_password? -- OnegWR
~- ...
----
CategoryDevelopmentSecurity
