Security issue and spamming
- derekk
- OFFLINE
-
New Member
- Posts: 16
- Thanks: 0
- Karma: 0
13 years 2 months ago - 13 years 2 months ago #155808
by derekk
Security issue and spamming was created by derekk
I startedd having spamming issues increase and investigated the issue
I came upon this old thread in your forum posted below from this link
www.joomlapolis.com/forum/8-usability/6977-confirmation-link-not-working-correctly?limit=6&start=24
I checked my confirmation emails and the hash is still there in mine, pasted url below with xxx for my privacy
blaxxxxort.org/index.php?option=com_comprofiler&task=confirm&confirmcode=regf75axxxxxxxxxxxxe581a3cec3e3feb76eb44b8bxxx4cae0b162685&Itemid=48
How do I fix these, protect the hash as the user below suggests?
The "confirmation code" is simply the md5 hash of the users id. This makes the hashing of the users id useless and the the challenge sent to the users email is useless also.
Its like sending the user a url such as:
example.com?index.php?option=com_comprofiler&task=confirm&confirmcode=[userid]
It makes the whole purpose of sending a chanllenge to the user email meaningless as a simple php script can be written to confirm every single userid on a comprofiler based website...
Simply something like:
<?php
for($i = 63; $i < 100; $i++) {
$f = fopen("http://example.com?index.php?option=com_comprofiler&task=confirm&confirmcode=$i", 'r');
fclose($f);
}
?>
This will effectively confirm every email address from userid of 63-100.
Hopefully this could get fixed in the next release as it may be one of the reasons I get so many spammers registering on my site... I know other CB users have the same problem.
The whole purpose of a challenge is that it is randomly generated, and complex enough (low probability of being repeated) not to be "guessed" out. Not created out of the userid
I came upon this old thread in your forum posted below from this link
www.joomlapolis.com/forum/8-usability/6977-confirmation-link-not-working-correctly?limit=6&start=24
I checked my confirmation emails and the hash is still there in mine, pasted url below with xxx for my privacy
blaxxxxort.org/index.php?option=com_comprofiler&task=confirm&confirmcode=regf75axxxxxxxxxxxxe581a3cec3e3feb76eb44b8bxxx4cae0b162685&Itemid=48
How do I fix these, protect the hash as the user below suggests?
The "confirmation code" is simply the md5 hash of the users id. This makes the hashing of the users id useless and the the challenge sent to the users email is useless also.
Its like sending the user a url such as:
example.com?index.php?option=com_comprofiler&task=confirm&confirmcode=[userid]
It makes the whole purpose of sending a chanllenge to the user email meaningless as a simple php script can be written to confirm every single userid on a comprofiler based website...
Simply something like:
<?php
for($i = 63; $i < 100; $i++) {
$f = fopen("http://example.com?index.php?option=com_comprofiler&task=confirm&confirmcode=$i", 'r');
fclose($f);
}
?>
This will effectively confirm every email address from userid of 63-100.
Hopefully this could get fixed in the next release as it may be one of the reasons I get so many spammers registering on my site... I know other CB users have the same problem.
The whole purpose of a challenge is that it is randomly generated, and complex enough (low probability of being repeated) not to be "guessed" out. Not created out of the userid
Last edit: 13 years 2 months ago by derekk.
Please Log in to join the conversation.
krileon
Team Member- ONLINE
- Posts: 68567
- Thanks: 9098
- Karma: 1434
13 years 2 months ago - 13 years 2 months ago #155817
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic Re: Security issue and spamming
This is a completely false statement. It's possible it is the case for older releases but with 1.4 source it's clearly not the case. Please see the below function which is responsible for generating the confirmation code.
IN: administrator/components/com_comprofiler/library/cb/cb.tables.php
ON: Lines 1692-1701
To explain the above a random hash is generated from a random string with no relation to the userid. The userid is then scrambled with additional random characters then appended to one another. There is no way to reverse engineer the confirmation code same as it's impossible to reverse engineer a users password.
Please ensure you've CB 1.4 installed.
If you've more evidence to support this claim then would be glad to review it. Please keep in mind if you created a user by any other means then CB and that means is setting the activation code then that would be the culprit. Simply passing userid that has been md5 will fail the confirm the user.
Additionally the below is how the confirmation link is generated.
IN: administrator/components/com_comprofiler/comprofiler.class.php
ON: Lines 5014-5029
IN: administrator/components/com_comprofiler/library/cb/cb.tables.php
ON: Lines 1692-1701
function _setActivationCode( ) {
global $_CB_framework;
$randomHash = md5( cbMakeRandomString() );
$scrambleSeed = (int) hexdec(substr( md5 ( $_CB_framework->getCfg( 'secret' ) . $_CB_framework->getCfg( 'db' ) ), 0, 7));
$scrambledId = $scrambleSeed ^ ( (int) $this->id );
$this->cbactivation = 'reg' . $randomHash . sprintf( '%08x', $scrambledId );
// for CMS compatibility (and JFusion compatibility):
$this->activation = $randomHash;
}To explain the above a random hash is generated from a random string with no relation to the userid. The userid is then scrambled with additional random characters then appended to one another. There is no way to reverse engineer the confirmation code same as it's impossible to reverse engineer a users password.
Please ensure you've CB 1.4 installed.
If you've more evidence to support this claim then would be glad to review it. Please keep in mind if you created a user by any other means then CB and that means is setting the activation code then that would be the culprit. Simply passing userid that has been md5 will fail the confirm the user.
Additionally the below is how the confirmation link is generated.
IN: administrator/components/com_comprofiler/comprofiler.class.php
ON: Lines 5014-5029
if( $ueConfig['reg_confirmation'] == 1 ) {
if ( $row->confirmed ) {
$confirmLink = "\n" . _UE_USER_EMAIL_CONFIRMED . ".\n";
} else {
if ( $row->cbactivation ) {
$confirmCode = $row->cbactivation;
} else {
$confirmCode = '';
}
// no sef here ! space added after link for dumb emailers (Ms Entourage)
$confirmLink = " \n".$_CB_framework->getCfg( 'live_site' )."/index.php?option=com_comprofiler&task=confirm&confirmcode=" . $confirmCode . getCBprofileItemid( false, 'confirm' ) . " \n";
// not implemented in viewUrl yet: $confirmLink = " \n". $_CB_framework->viewUrl( 'confirm', array( 'confirmcode' => $confirmCode ) ) ." \n";
}
} else {
$confirmLink = ' ';
}Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Last edit: 13 years 2 months ago by krileon.
Please Log in to join the conversation.
- derekk
- OFFLINE
-
New Member
- Posts: 16
- Thanks: 0
- Karma: 0
13 years 2 months ago #155829
by derekk
Replied by derekk on topic Re: Security issue and spamming
Thanks Krileon
Yes I am using 1.4 should it still be displaying that url with the hash after the confirmation link has been clicked in 1.4?
I am using CB strictly for registration.
Yes I am using 1.4 should it still be displaying that url with the hash after the confirmation link has been clicked in 1.4?
I am using CB strictly for registration.
Please Log in to join the conversation.
- krileon
- Team Member
- ONLINE
- Posts: 68567
- Thanks: 9098
- Karma: 1434
13 years 2 months ago - 13 years 2 months ago #155849
by krileon
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic Re: Security issue and spamming
Yes, it's fine for it to remain in URL. The hash is random and not possible to fake. It's compared to the one stored for the user in database; if it doesn't match character for character then confirmation will fail. So appending just user_id for instance will fail. Not possible for someone to generate the hash from an outside source either as again is completely random and would probably take 100 years or more to duplicate just 1 users hash, which would be rather pointless.derekk wrote: Thanks Krileon
Yes I am using 1.4 should it still be displaying that url with the hash after the confirmation link has been clicked in 1.4?
I am using CB strictly for registration.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Last edit: 13 years 2 months ago by krileon.
Please Log in to join the conversation.
Moderators: beat, nant, krileon
Time to create page: 1.109 seconds
-
You are here:
- Home
- Forums
- Archive
- Advanced Members Support
- Security issue and spamming