The shoutbox is currently out of service. Join us on Discord instead.
You can help CodeWalrus stay online by donating here.

Important security notice about your CodeWalrus account

Started by DJ Omnimaga, December 06, 2015, 04:31:35 am

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Sorunome

Quote from: DJ Omnimaga on December 29, 2015, 06:54:13 am
* DJ Omnimaga pokes @Juju and @Streetwalrus to share the logs, then.

The post-body and reply content doesn't land in server-side access logs, though, thus needing the logs of the client.
Server-side logs might help a bit, too.

Also, I am not saying that the login mod has a bug, all I'm saying is that it might have a bug and that these informations would be helpful to pinpoint if it has or if it hasn't. ;)
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

DJ Omnimaga

Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?

Sorunome

Quote from: DJ Omnimaga on December 29, 2015, 07:19:55 am
Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
I mean that for the people to whom it happens it would be helpful if they could dump the output of the "network" tab in their debugging console (f12).
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

DJ Omnimaga

December 29, 2015, 07:22:54 am #63 Last Edit: December 29, 2015, 07:26:18 am by DJ Omnimaga
Ah I see. In any case, I hope if this happens to them, that they see this topic beforehand. Also does this apply to Windows and Mac as well?

rwill

Regarding the type of login problems, Art_of_camelot made a thread about it and he had the same symptoms as I had, it just hangs on the loading part. It may only happen on the first login after the security update was deployed, it happened on my first login after the update and he created the thread 5 minutes after that. I do not know if it was his first login after the security update, one might need to ask him if one wants to investigate in this direction further. I did look at what I POST to the server on login and besides some 20kb hashed_paswd in the form, where I do not know where it comes from, I noticed nothing out of the ordinary and had no problems ever besides the one time after the security update. Ah well, good luck.

And hopefully unrelated, I got this email directing me to this thread:


Subject: rwill, you have been mentioned at a post in CodeWalrus
Hello rwill!

DJ Omnimaga mentioned you in the post "Sorunome, you have been mentioned at a post in CodeWalrus", you can view the post at https://codewalr.us/index.php?msg=28835

Regards,
CodeWalrus


While the Sorunome part is certainly not his post title I think.

DJ Omnimaga

The Sorunome mention bug is known. It's a problem on the user mention mod's side when we @mention/!call multiple people at once in one post. You would need to report it to the original author on SMF forums.

As for the login loading taking forever, I have the same problem happening on Omnimaga until about the third try. On CW it never happened to me, but logging in takes a long while (up to 10 seconds sometimes). This is definitively something that Soru needs to fix.

If it becomes too much of an issue or hinders our activity, then we might need to revert the changes and ditch this mod, at the cost of lowered security, and if security becomes a problem, then we could just require everyone to login via Reddit, Facebook, Github, Google or something like that until SMF 2.1 comes out.

Streetwalrus

The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.

DJ Omnimaga

Oh, that could be an idea. Just as long as it doesn't require the regular users to do something special, because contacting 400 members to ensure that they do it doesn't mean all of them will get the message. :P

Streetwalrus


DJ Omnimaga

December 29, 2015, 10:45:41 pm #69 Last Edit: December 29, 2015, 10:47:39 pm by DJ Omnimaga
Yeah I am refering more to how we should avoid going the same route as the topic ID changes controversy , where no automated fix (eg a redirect or admins updating everyone's sigs) was available, thus, forcing thousands of people to manually fix their stuff themselves.

Sorunome

December 29, 2015, 10:49:49 pm #70 Last Edit: December 29, 2015, 11:01:04 pm by Sorunome
Quote from: Streetwalrus on December 29, 2015, 10:28:52 pm
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.


>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD

EDIT: also
Quote<Sorunome> what might help is going into Subs-Auth.php search for the function getRSAValue (probably close to bottom), search for $smcFunc['db_query']('','DELETE FROM {db_prefix}rsa_keys WHERE ts < (NOW() - INTERVAL 1 MINUTE)'); and amke that to like 5 mins or so
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Streetwalrus

Quote from: Sorunome on December 29, 2015, 10:49:49 pm
Quote from: Streetwalrus on December 29, 2015, 10:28:52 pm
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.


>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD

Doesn't look like it's possible. Also a quick grep shows that pretty much everywhere it's set it's true.

Powered by EzPortal