Join us on Discord!
You can help CodeWalrus stay online by donating here.

Important security notice about your CodeWalrus account

Started by Dream of Omnimaga, December 06, 2015, 04:31:35 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Sorunome

Quote from: DJ Omnimaga on December 29, 2015, 06:54:13 AM
* DJ Omnimaga pokes @Juju and @Streetwalrus to share the logs, then.
The post-body and reply content doesn't land in server-side access logs, though, thus needing the logs of the client.
Server-side logs might help a bit, too.

Also, I am not saying that the login mod has a bug, all I'm saying is that it might have a bug and that these informations would be helpful to pinpoint if it has or if it hasn't. ;)
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Dream of Omnimaga

Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

Sorunome

Quote from: DJ Omnimaga on December 29, 2015, 07:19:55 AM
Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
I mean that for the people to whom it happens it would be helpful if they could dump the output of the "network" tab in their debugging console (f12).
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Dream of Omnimaga

#63
Ah I see. In any case, I hope if this happens to them, that they see this topic beforehand. Also does this apply to Windows and Mac as well?
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

rwill

Regarding the type of login problems, Art_of_camelot made a thread about it and he had the same symptoms as I had, it just hangs on the loading part. It may only happen on the first login after the security update was deployed, it happened on my first login after the update and he created the thread 5 minutes after that. I do not know if it was his first login after the security update, one might need to ask him if one wants to investigate in this direction further. I did look at what I POST to the server on login and besides some 20kb hashed_paswd in the form, where I do not know where it comes from, I noticed nothing out of the ordinary and had no problems ever besides the one time after the security update. Ah well, good luck.

And hopefully unrelated, I got this email directing me to this thread:


Subject: rwill, you have been mentioned at a post in CodeWalrus
Hello rwill!

DJ Omnimaga mentioned you in the post "Sorunome, you have been mentioned at a post in CodeWalrus", you can view the post at https://codewalr.us/index.php?msg=28835

Regards,
CodeWalrus


While the Sorunome part is certainly not his post title I think.

Dream of Omnimaga

The Sorunome mention bug is known. It's a problem on the user mention mod's side when we @mention/!call multiple people at once in one post. You would need to report it to the original author on SMF forums.

As for the login loading taking forever, I have the same problem happening on Omnimaga until about the third try. On CW it never happened to me, but logging in takes a long while (up to 10 seconds sometimes). This is definitively something that Soru needs to fix.

If it becomes too much of an issue or hinders our activity, then we might need to revert the changes and ditch this mod, at the cost of lowered security, and if security becomes a problem, then we could just require everyone to login via Reddit, Facebook, Github, Google or something like that until SMF 2.1 comes out.
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

novenary

The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.

Dream of Omnimaga

Oh, that could be an idea. Just as long as it doesn't require the regular users to do something special, because contacting 400 members to ensure that they do it doesn't mean all of them will get the message. :P
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

novenary


Dream of Omnimaga

#69
Yeah I am refering more to how we should avoid going the same route as the topic ID changes controversy , where no automated fix (eg a redirect or admins updating everyone's sigs) was available, thus, forcing thousands of people to manually fix their stuff themselves.
  • Calculators owned: TI-82 Advanced Edition Python TI-84+ TI-84+CSE TI-84+CE TI-84+CEP TI-86 TI-89T cfx-9940GT fx-7400G+ fx 1.0+ fx-9750G+ fx-9860G fx-CG10 HP 49g+ HP 39g+ HP 39gs (bricked) HP 39gII HP Prime G1 HP Prime G2 Sharp EL-9600C
  • Consoles, mobile devices and vintage computers owned: Huawei P30 Lite, Moto G 5G, Nintendo 64 (broken), Playstation, Wii U

Sorunome

#70
Quote from: Streetwalrus on December 29, 2015, 10:28:52 PM
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.
>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD

EDIT: also
Quote<Sorunome> what might help is going into Subs-Auth.php search for the function getRSAValue (probably close to bottom), search for $smcFunc['db_query']('','DELETE FROM {db_prefix}rsa_keys WHERE ts < (NOW() - INTERVAL 1 MINUTE)'); and amke that to like 5 mins or so
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

novenary

Quote from: Sorunome on December 29, 2015, 10:49:49 PM
Quote from: Streetwalrus on December 29, 2015, 10:28:52 PM
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.
>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD
Doesn't look like it's possible. Also a quick grep shows that pretty much everywhere it's set it's true.

Powered by EzPortal