Unsecure MD5 Activation URLs
17 years 10 months ago #14702
by moneybagsxp
www.pixelchutes.com - Where every pixel matters.
Unsecure MD5 Activation URLs was created by moneybagsxp
In my quest to customize an "Activation URL Resend Routine"
www.joomlapolis.com/component/option,com_joomlaboard/Itemid,38/func,view/catid,31/id,14641#14641/
I uncovered the truth, and ironically proved my own expectation was true:
The activation URL that is sent is merely a simple call to md5(), passing the row id as the parameter. ...the issue? The key is not secure.
Technically, if someone wanted to, they could loop through a select statement generating custom activation URLs that would "activate" the user (row) associated with the ID.
One example of such:
Using MySQL, this would create Activation URLs for records 1, 10 and 50 in the jos_comprofiler table.
[code:1]
select concat( 'www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 1 ) ) as confirm_url
union
select concat( 'www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 10 ) )
union
select concat( 'www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 50 ) )
[/code:1]
The feature request is to create some type of randomly encryption SALT for alternate encryption during installation. Possibly an alternate confirmation code method? In short, provide an easily added layer of security.
While I don't see this is as that large of potential flaw, it probably should be considered in the next release/update of CB. Realistically, all this really means is that a user could register with a bunk email address, attempt to force activate his account by programatically iterating across a set of custom activation URLs, and log in to a site without ever have confirming an email. Further, this could spoil the confirmation process of ALL other IDs as well, tainting the accuracy of valid emails in your user tables.
Post edited by: moneybagsxp, at: 2006/07/10 22:06
I uncovered the truth, and ironically proved my own expectation was true:
The activation URL that is sent is merely a simple call to md5(), passing the row id as the parameter. ...the issue? The key is not secure.
Technically, if someone wanted to, they could loop through a select statement generating custom activation URLs that would "activate" the user (row) associated with the ID.
One example of such:
Using MySQL, this would create Activation URLs for records 1, 10 and 50 in the jos_comprofiler table.
[code:1]
select concat( 'www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 1 ) ) as confirm_url
union
select concat( 'www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 10 ) )
union
select concat( 'www.domain-name-here.com/index.php?option=com_comprofiler&task=confirm&confirmcode=' , md5( 50 ) )
[/code:1]
The feature request is to create some type of randomly encryption SALT for alternate encryption during installation. Possibly an alternate confirmation code method? In short, provide an easily added layer of security.
While I don't see this is as that large of potential flaw, it probably should be considered in the next release/update of CB. Realistically, all this really means is that a user could register with a bunk email address, attempt to force activate his account by programatically iterating across a set of custom activation URLs, and log in to a site without ever have confirming an email. Further, this could spoil the confirmation process of ALL other IDs as well, tainting the accuracy of valid emails in your user tables.
Post edited by: moneybagsxp, at: 2006/07/10 22:06
www.pixelchutes.com - Where every pixel matters.
Please Log in to join the conversation.
17 years 10 months ago #14892
by moneybagsxp
I can't believe nobody has an opinion on this 
Another approach could be to have a random id associated with each user that is the MD5-key that ties back to the Row ID. This wouldn't require as much of a mod to the base-core package, and would probably be easier to implement...
Post edited by: moneybagsxp, at: 2006/07/10 22:05
www.pixelchutes.com - Where every pixel matters.
Replied by moneybagsxp on topic Re:Unsecure MD5 Activation URLs
I can't believe nobody has an opinion on this Another approach could be to have a random id associated with each user that is the MD5-key that ties back to the Row ID. This wouldn't require as much of a mod to the base-core package, and would probably be easier to implement...
Post edited by: moneybagsxp, at: 2006/07/10 22:05
www.pixelchutes.com - Where every pixel matters.
Please Log in to join the conversation.
Moderators: beat, nant, krileon
Time to create page: 0.309 seconds
