Textpattern CMS support forum

You are not logged in. Register | Login | Help

#11 2012-01-18 07:20:26

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Merci Dragondz

I have publish 1.6.1 release version.

Offline

#12 2012-01-18 08:30:06

Gocom
Plugin Author
Registered: 2006-07-14
Posts: 4,524
Website

Re: mck_login

Nice. v1.6.1 is a big improvement. After taking a quick look, I still found some issue, including same security issues;

  • mck_register_form() is still as vulnerable to SQL injections, i.e. missing "name = '" .trim($reg['name']). "'".
  • mck_show_login() and mck_register_form() are vulnerable to server-side code injections, i.e. $_SERVER['REQUEST_URI'], which should at least in all cases, escaped with htmlspecialchars().
  • The plugin defines (global) un-prefixed variables, i.e. $textpack, $log_msg. Wrap the code at the top to a function to define them in their own scope.
  • mck_register_form() doesn’t prevent forging or brute attacks. Anyone can create as many accounts as the server can handle (i.e. 5000 accounts a second). You could at minimum call sleep() before saving the details to add 3-5 second wait. It would be best if the form had a nonce (once used token) system that prevents sending the same form directly repeatedly.

Last edited by Gocom (2012-01-18 08:35:18)

Offline

#13 2012-01-18 08:45:08

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Well… thanks.
In this days I will work!!

Offline

#14 2012-01-18 19:27:35

geoff777
Plugin Author
From: Benarrabá Andalucía Spain
Registered: 2008-02-19
Posts: 281
Website

Re: mck_login

GoCom – MarcoK

Can’t you help each other in private messages?

MarcoK – not quite so many problems :-) Soon this will be usable by the community!


There are 10 types of people in the world: those who understand binary, and those who don’t.

Offline

#15 2012-01-26 19:48:23

Gocom
Plugin Author
Registered: 2006-07-14
Posts: 4,524
Website

Re: mck_login

During last few days, or last weekend or so, I took deeper look at the code, and did some patching. Patching which eventually lead to code that isn’t mck_login at all, but still shares the same concept. A ‘fork’ was born and can be found from GitHub. Let me warn tho; I don’t recommend anyone actually using it. It has it’s own issues, and it’s just an off-spring branch. A contribution, which I’m just sharing. Hopefully MarcoK (or someone else) finds it useful.

The main idea I had was to fix security issues the original release of mck_login had. I started working by removing the duplicated code and replacing it with Textpattern’s core methods. I mapped all the security issues (from which initially I’ve had missed few), and got the needed time to fix them. Some security fixes and initial improvements included:

  • Code injection and SQL injection fixes.
  • Nonce-updating/destroying. Doing it the way core does.
  • Cookie destroying/logging out. Uses installation path, and tries not doesn’t unset all cookies across domain.
  • Fixing naming issues (everything global prefixed etc).

Then there were those some things I mentioned earlier; those feature-wise things. For instance the hard-coded content, and some of the security features, like brute attacks and off-hand form sending.

  • All the forms have a time based token which will last for 30 minutes. This means that one can’t simply copy the code and keep using it for eternity. Not exactly nonce grade prevention, but does something.
  • As for brutes, I did what usually is done; limiting request rate.

The way tags and forms are implemented changed too. Instead of a form being single tag, the forms are now ZCR-like set of tags. I.e.

<txp:mck_reset_form>
	<txp:mck_login_errors />
	<txp:mck_login_input type="text" name="mck_reset_name" />
</txp:mck_reset_form>

Which makes forms totally changeable to any format. Feature-wise in addition to localization and tag structure, I added some essential tools and functions including password resetting and changing (as seen above), and CSRF protection support.

I’ve also added some functions for extending the plugin with plugins (spam prevention etc). The plugin has some callback events. All which are listed on the repo’s GitHub page.

So, is it perfect? No. Should I (you) as end-user use it? Not really, no if you are end-user, and need something that is maintained. It has its own issues, it’s untested. It’s written in a whim. I did it all just to share and to contribute. It all ended to the current sate by a change. It’s not going to become my own (rah) plugin project, neither I’m going to support it. Just a contribution.

If some, especially MarcoK finds it useful, that would be great. Treat it as finders keepers, but this ring doesn’t have real maintainer.

Last edited by Gocom (2012-01-26 19:51:45)

Offline

#16 2012-01-27 08:13:47

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

Wow, it’s amazing!

You have doing in few days what i had mean to do in an year!

In Italy we are accustoms to saying ‘minchia che lavoro!’

I find it very useful, and i start to study what you have written. So, i hope learn something form this code!

Offline

#17 2012-01-27 10:37:53

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,236
Website

Re: mck_login

Hi Jukka ;)

I’m currently trying your fork plugin (thanks to Marco for initial idea). Yet another demonstration of your talents. I would like to thank you for sharing.

That kind of plugin is very interesting and was the subject of some brainstorming with other PHP coders in private messages last month.

My thoughts about a self register and login front-end plugin were to offer a solution to add/delete/change articles by authors directly from the public side – as some other CMS offer like Concrete 5, Drupal 7.x and many others -.
So, I know it’s a very difficult and complex work but do you think you could add that feature?

What do you think? Could you tell us your opinion.

Best regards Jukka.


Patrick.
G+
Github | CodePen

Offline

#18 2012-01-27 13:43:01

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,236
Website

Re: mck_login

Jukka, here is the French textpack file:

#@public
#@language fr-fr
mck_login_name_and_pass_required => La saisie du nom et du mot de passe sont obligatoires.
mck_login_form_expired => Le délai du formulaire a expiré. Veuillez soumettre de nouveau votre saisie en cliquant sur le bouton "Envoyer".
mck_login_invalid_token => Soumission refusée en raison d'une erreur interne. Veuillez envoyer de nouveau ce formulaire.
mck_login_invalid_login => La combinaison <b>utilisateur</b> et <b>mot de passe</b> est incorrecte.
mck_login_ip_blacklisted => Soumission refusée. Votre adresse IP figure dans la liste noire anti-spam.
mck_login_you_have_been_banned => Soumission refusée. Votre adresse IP a été bannie.
mck_login_all_fields_required => La saisie de tous les champs est obligatoire.
mck_login_email_too_long => Votre adresse Email est trop longue. Seules les adresses de 100 caractères maximum sont acceptées.
mck_login_password_too_short => Le mot de passe doit comporter au moins 6 caractères.
mck_login_username_too_short => Le nom utilisateur doit comporter au moins 3 caractères.
mck_login_username_too_long => Le nom utilisateur ne doit pas excéder 64 caractères.
mck_login_realname_too_long => Votre nom ne doit pas dépasser 100 caractères.
mck_login_invalid_email => Cette adresse Email est invalide. Veuillez renseigner une adresse différente.
mck_login_email_in_use => Cette adresse Email est actuellement utilisée pour un compte existant. Les adresses associée aux comptes doivent être uniques. Veuillez renseigner une adresse différente.
mck_login_username_taken => Ce nom utilisateur est déjà utilisé. Les noms doivent être uniques.
mck_login_saving_failed => La sauvegarde dans la base de données a échoué. Merci de recommencer le processus.
mck_login_old_password_incorrect => L'ancien mot de passe est incorrect.
mck_login_passwords_do_not_match => Le nouveau mot de passe et sa confirmation ne correspondent pas.
mck_login_invalid_csrf_token => Accès refusé pour raisons de sécurité.
mck_login_your_new_password => [{sitename}] Voici votre nouveau mot de passe
mck_login_redirect_message => Si vous vous n'êtes pas redirigé, cliquez sur cette page : {url}

Last edited by Pat64 (2012-01-27 14:03:52)


Patrick.
G+
Github | CodePen

Offline

#19 2012-01-27 16:17:27

MarcoK
Plugin Author
From: Como
Registered: 2006-10-17
Posts: 248
Website

Re: mck_login

This is a Italian Textpack.

#@public
#language it-it
mck_login_name_and_pass_required => Nome e password sono necessari.
mck_login_form_expired => Form scaduto. Prova a reinviare il form cliccando sul pulsante submit.
mck_login_invalid_token => Richiesta negata per token non valido. Prova a inviare nuovamente il form.
mck_login_invalid_login => Combinazione Utente/Password non corretta.
mck_login_ip_blacklisted => Richiesta negata. Il tuo indirizzo IP  fa parte di una blacklist antispam.
mck_login_you_have_been_banned => Richiesta negata. Il tuo indirizzo IP è stato bannato.
mck_login_all_fields_required => Tutti i campi sono necessari.
mck_login_email_too_long => Il tuo indirizzo email è troppo lungo. Sono validi solo indirizzi email lungi al massimo 100 caratteri.
mck_login_password_too_short => La password deve essere lunga almeno 6 caratteri.
mck_login_username_too_short => Lo Username deve essere di almeno 3 caratteri.
mck_login_username_too_long => Lo Username non può essere lungo più di 64 caratteri.
mck_login_realname_too_long => Il tuo nome non può essere più lungo di 100 caratteri.
mck_login_invalid_email => Indirizzo email non valido. Inserisci un indirizzo differente.
mck_login_email_in_use => Email già in uso da un'altro utente. Inserisci un indirizzo email differente.
mck_login_username_taken => Username già in uso.
mck_login_saving_failed => Salvataggio nel database fallito. Riprova.
mck_login_old_password_incorrect => Vecchia password non corretta.
mck_login_passwords_do_not_match => Le password non coincidono.
mck_login_invalid_csrf_token => Accesso negato per ragioni di sicurezza: token non valido.
mck_login_your_new_password => [{sitename}] la tua nuova password
mck_login_redirect_message => Se il redirect non fuzniona, clicca sul seguente link: {url}

Last edited by MarcoK (2012-01-27 16:18:00)

Offline

#20 2012-01-27 16:59:13

sacripant
Plugin Author
From: Rhône — France
Registered: 2008-06-01
Posts: 472
Website

Re: mck_login

What are the differences with cbe_frontauth ?

Offline

Board footer

Powered by FluxBB