In-Portal Issue Tracker - In-Portal CMS
Viewing Issue Advanced Details
ID: Category: Type: Reproducibility: Date Submitted: Last Update:
1435 [In-Portal CMS] Security bug report always 2012-11-05 11:22 2012-12-12 03:40
Reporter: alex Platform:  
Assigned To: alex OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 5.1.0  
Product Build: Resolution: fixed  
 
ETA: none Fixed in Version: 5.3.0-B1  
Reference: https://groups.google.com/d/topic/in-portal-dev/qenm_MavpZc/discussion
Change Log Message: Adds random string for each In-Portal installation
Estimate Points: 1
Summary: 0001435: Generate random string at install
Description: I propose to generate random string (like WordPress does) during In-Portal installation and then potentially use it in various security-related places, like password hashing (along with existing hashing system of course) and such.

This would ensure that even 2 In-Portal installations having same users (with same passwords) registered would still have different hashed passwords. Maybe we can find other interesting uses of this new random string in time.
Steps To Reproduce:
Additional Information:
Relationships
related to 0001436resolved  (5.3.0)alex Encrypt cookie stored at client 
Attached Files: patch random_string_configuration_1435.patch (5,245) 2012-12-06 05:28
http://tracker.in-portal.org/file_download.php?file_id=1880&type=bug
patch random_string_configuration_1435_v2.patch (4,614) 2012-12-07 07:10
http://tracker.in-portal.org/file_download.php?file_id=1886&type=bug
patch random_string_configuration_1435_v3.patch (7,042) 2012-12-11 05:53
http://tracker.in-portal.org/file_download.php?file_id=1890&type=bug
patch random_string_configuration_1435_v4.patch (8,170) 2012-12-12 03:38
http://tracker.in-portal.org/file_download.php?file_id=1892&type=bug
Issue History
Date Modified Username Field Change
2012-12-12 03:40 alex Note Added: 0005337
2012-12-12 03:40 alex Status reviewed and tested => resolved
2012-12-12 03:40 alex Fixed in Version => 5.3.0-B1
2012-12-12 03:40 alex Resolution open => fixed
2012-12-12 03:40 alex Changeset attached 5.3.x r15649
2012-12-12 03:39 alex Note Added: 0005336
2012-12-12 03:39 alex Status needs testing => reviewed and tested
2012-12-12 03:38 alex File Added: random_string_configuration_1435_v4.patch
2012-12-11 05:55 erik Note Added: 0005334
2012-12-11 05:55 erik Assigned To erik => alex
2012-12-11 05:55 erik Status needs work => needs testing
2012-12-11 05:53 erik File Added: random_string_configuration_1435_v3.patch
2012-12-11 02:58 alex Assigned To alex => erik
2012-12-11 02:54 alex Note Added: 0005330
2012-12-11 02:54 alex Status needs testing => needs work
2012-12-07 07:11 erik Note Added: 0005326
2012-12-07 07:11 erik Assigned To erik => alex
2012-12-07 07:11 erik Status needs work => needs testing
2012-12-07 07:10 erik File Added: random_string_configuration_1435_v2.patch
2012-12-06 12:00 alex Note Added: 0005324
2012-12-06 12:00 alex Assigned To alex => erik
2012-12-06 11:31 erik Note Added: 0005323
2012-12-06 11:30 erik Assigned To erik => alex
2012-12-06 06:24 alex Note Edited: 0005321 bug_revision_view_page.php?bugnote_id=0005321#r1068
2012-12-06 06:22 alex Note Added: 0005321
2012-12-06 06:22 alex Assigned To alex => erik
2012-12-06 06:22 alex Status needs testing => needs work
2012-12-06 05:28 erik Note Added: 0005320
2012-12-06 05:28 erik Assigned To => alex
2012-12-06 05:28 erik Developer => erik
2012-12-06 05:28 erik Status active => needs testing
2012-12-06 05:28 erik File Added: random_string_configuration_1435.patch
2012-12-05 03:18 alex Note Added: 0005314
2012-11-05 11:24 alex Relationship added related to 0001436
2012-11-05 11:22 alex New Issue
2012-11-05 11:22 alex Reference => https://groups.google.com/d/topic/in-portal-dev/qenm_MavpZc/discussion
2012-11-05 11:22 alex Change Log Message => Adds random string for each In-Portal installation
2012-11-05 11:22 alex Estimate Points => 1

Notes
(0005314)
alex   
2012-12-05 03:18   
Plan:
1. add new system setting called "RandomString" ("Random String") and place it under "Use non-blocking socket mode" setting in "Configuration -> Website -> Advanced" section
2. during clean install + during upgrade to 5.3.0-B1 version use code from WordPress to generate similar random string
3. verify that for each clean install / upgrade made different string is generated each time
(0005320)
erik   
2012-12-06 05:28   
Patch attached. Needs testing
(0005321)
alex   
2012-12-06 06:22   
(edited on: 2012-12-06 06:24)
1. must use $this->Application->SetConfigValue method instead of doing direct SQLs to SystemSettings table ($this->Application is available during upgrade and during clean install it's available after root password is entered)

2. why current random string value (which is 100% empty during install/upgrade) is being used to generate new random string value?
(0005323)
erik   
2012-12-06 11:31   
1. Impossible - No application object at used execution point.
2. In the task was told - "use code from WordPress to generate similar random string". In wordpress old value is used on new value generation.
(0005324)
alex   
2012-12-06 12:00   
1 - then move random string generation to one of next steps, where application is available

Also don't forget, that cookies used during installation also needs to be hashed (see related task about hashing) using generated string
(0005326)
erik   
2012-12-07 07:11   
New patch version attached. Needs testing.
(0005330)
alex   
2012-12-11 02:54   
1. missing upgrade script, that inserts RandomString system setting
2. root password hash is used as initial seed, which introduces always the same (if password is the same) component in string generation
3. generated string doesn't look like these random strings (take from wp-config.php file):

define('AUTH_KEY', 'B9Gb>TN!3{onYA(4&PW>K8>@@KD|G8V1/|J-|}m;=_5O2||Vp/tg_6_[Nv]f5E-S');
define('SECURE_AUTH_KEY', '&jFdwDy_Nz^7/0=}ZSZF-iNQ5w^rpCswV}S&8/O+@Z%Jzk{q[OtW8Q<f2.}wx`|$');
define('LOGGED_IN_KEY', '@+J_;[5$u*[A*4nR%z|y6?d-!$U0G%jB8xOQ6+^OdPf4rnby/7mTbF{+!z$*2=*|');
define('NONCE_KEY', '+#y|nb[<<9|/[Y3r31S!rKIYtl8vQ:8;>4z8k+a|1Gx_=t{sdkjEfyRO&6+JnF__');

3a. Probably wp_generate_password function should be used.

4. Random string(+seed) generation (+password generation) code looks promising, let's move both functions to UserHelper. Please also preserve behavior when generated random seed (set_transient) is stored somewhere (e.g. cache table) and is reset after N uses.
(0005334)
erik   
2012-12-11 05:55   
1. Fixed
2. Fixed
3. Fixed
4. Fixed

New patch version attached. Needs testing
(0005336)
alex   
2012-12-12 03:39   
Looks about right.

I've only did following in V4 version:
1. changed global $rnd_value variable into static variable
2. method generateRandomNumber made protected
(0005337)
alex   
2012-12-12 03:40   
Fix committed to 5.3.x branch. Commit Message:

Fixes 0001435: Generate random string at install
1. Commit on behalf of Erik