Jump to content



Photo
- - - - -

Admin Strong Authentication: Beta testers wanted

admin security swekey login

This topic has been archived. This means that you cannot reply to this topic.
8 replies to this topic

#1   swekey

swekey
  • Members
  • 1 posts

Posted 22 November 2011 - 15:09

Dear All,

We just finished an addon for OSCommerce that provides strong authentication for administrators using our Swekey USB token (see www.swekey.com).

The addon is in beta and can be dowloaded at
http://ftp.swekey.com/OSCommerce-swekey-3.0.x-1.0.0.zip

If you want to give it a try just email me at support at swekey dot com.

The first 10 beta testers will receive a free Swekey for testing....

Regards,

Luc

PS: The addon was written for vesion 3.0.2 if we receive numerous demands for version 2.x we are ready to provide a version for that platform.

Edited by Jan Zonjee, 22 November 2011 - 15:44.


#2   toyicebear

toyicebear
  • Community Sponsor
  • 6,399 posts

Posted 23 November 2011 - 00:46

You do know that 3.0.2 is not a complete shop and just a developer release version? The latest stable full release is 2.3.1

Edited by toyicebear, 23 November 2011 - 00:46.


#3   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts

Posted 23 November 2011 - 00:54

No sense in releasing something that can't be used by the majority of osCommerce members. In fact, with 3.x requiring PHP 5.3, there aren't even that many hosting providers that you can load 3.x on.



Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#4   foxp2

foxp2

    strong as a Twig

  • Banned
  • 310 posts

Posted 23 November 2011 - 11:36

woua, that's such a positive back !
finally i get tired of reading the old same refrains about oscom 3 ... [img]http://forums.oscommerce.com//public/style_emoticons/default/sick.gif[/img]
-------------------

#5   Harald Ponce de Leon

Harald Ponce de Leon

    Healthy Giraffe

  • Core Team
  • 4,845 posts

Posted 23 November 2011 - 20:03

Hi All..

I've only taken a quick look at the source code of the add-on and am impressed by how it self-installs itself from just one php file ... BUT it modifies core files and encourage others NOT to follow this style of procedure for other add-ons. The authentication level in the framework is not yet modularized which is why Swekey took a more hardcore approach with their add-on.

I will be contacting Swekey soon to help with further development of the add-on and getting the modular authentication level in place. I find what they have so far done to be really awesome and anticipate having official add-ons other developers can learn from.

Kind regards,
Harald Ponce de Leon

#6   GemRock

GemRock
  • Members
  • 2,074 posts

Posted 26 November 2011 - 10:17

i guess this is the so-called 'one-off password'? if so, i dont think i want one as i already get 4 of those from my banks, all of which are free. you still need to remember your passwords to use these devices though. for innovation, i rather like to see a system which would send me a oneoff passcode to my mobile/cell phone every time i, or even a hacker, try to login. the phone number would be a variable hardcoded in the php file, instead of storing in the db. before that happens, how about using a dedicated IP (from your internet provider) to kick out everyone but you, if you are so concerned about admin security?
ken
commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).
over 20 years of computer programming experience.

#7   foxp2

foxp2

    strong as a Twig

  • Banned
  • 310 posts

Posted 26 November 2011 - 12:13

how about using a dedicated IP (from your internet provider) to kick out everyone but you,
ken


my personnal and very light protection :

in static method hasAccess (file osCommerce\OM\Core\Site\Admin\Controller.php) i've added :
	    if($_SERVER['REMOTE_ADDR']  !== '000.000.000'){
		  OSCOM::redirect('http://www.google.com');
	    }
but a spoofing attack is always possible ... a protection by IP is a poor solution. but it works :
http://shop.echoscystem.com/oscom3/index.php?Admin

Edited by Jan Zonjee, 26 November 2011 - 13:01.

-------------------

#8   GemRock

GemRock
  • Members
  • 2,074 posts

Posted 26 November 2011 - 14:47

'a protection by IP is a poor solution'? you would need to be a bit of 'rich' to afford a dedicated IP[img]http://forums.oscommerce.com//public/style_emoticons/default/smile.png[/img]
when i first suggested using this 'poor' IP protection a while back some where else on the forums, i also suggested running a oneoff code to write a cookie w/o expiry on the pc that access admin, then when logging in, read that cookie to see whether it exists. if not, you know how to deal with it, eg, direct it to a toilet.[img]http://forums.oscommerce.com//public/style_emoticons/default/laugh.png[/img]

RE 'spoofing': how anyone else knows your ip? is it you are the hacker's friend? or you are so willing to accept hackers invitions to visit their website and filling in forms supplying your website url thinking you would get some big rewards from them?
ken

ps: this 'new' version of ipborad doesnt seem to like or understand smiley??

Edited by GemRock, 26 November 2011 - 14:58.

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).
over 20 years of computer programming experience.

#9   Taipo

Taipo
  • Members
  • 794 posts

Posted 29 November 2011 - 00:07

HTACCESS LIMIT directive bypassing was the common method of accessing banned directories where the LIMIT directive is used to ban all and allow from a specified IP address.

This is still possible today because of the sheer amount of Apache servers running that are not up to date and due to the fact that while this issue was known about for over a decade, it was not fixed until very recently.

Typically the LIMIT directive is used as:
<Limit GET POST>
order deny,allow
deny from all
allow from 127.0.0.1
</Limit>
However unpatched versions of Apache do silly things when a request is made where the 'request type' has been spoofed (not the remote ip).

Example of a correct request to an admin directory:
GET /admin HTTP/1.1
Accept: */*
Host: www.somesite.com
Would result in a 403 access denied server response if the LIMIT example above was set up in the htaccess file.

However the request method can be spoofed as below:
ATTACK /admin HTTP/1.1
Accept: */*
Host: www.somesite.com
In this example using ATTACK as the request type, the out of date Apaches LIMIT directive sees that 'ATTACK' is not on the ban list of GET and POST so it allows it through.

But the out of date version of Apache, in not having ATTACK as one of its request methods, converts the ATTACK request type to GET instead of banning the request.

The end result is that the request is successful thus bypassing the LIMIT directive allowing any IP address access to that directory.

The safety mechanism is LimitExcept (example below)
<LimitExcept GET POST HEAD OPTIONS>
		   Deny from all
</LimitExcept>
Setting that at the top of the root htaccess file will restrict all request types right from the start at which point directives like LIMIT can be used safely.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW