8 replies to this topic

[swekey]

Dear All,

We just finished an addon for OSCommerce that provides strong authentication for administrators using our Swekey USB token (see www.swekey.com).

The addon is in beta and can be dowloaded at

http://ftp.swekey.com/OSCommerce-swekey-3.0.x-1.0.0.zip

If you want to give it a try just email me at support at swekey dot com.

The first 10 beta testers will receive a free Swekey for testing....

Regards,

Luc

PS: The addon was written for vesion 3.0.2 if we receive numerous demands for version 2.x we are ready to provide a version for that platform.

Edited by Jan Zonjee, 22 November 2011 - 03:44 PM.

[toyicebear]

You do know that 3.0.2 is not a complete shop and just a developer release version? The latest stable full release is 2.3.1

Edited by toyicebear, 23 November 2011 - 12:46 AM.

[DunWeb]

No sense in releasing something that can't be used by the majority of osCommerce members.  In fact, with 3.x requiring PHP 5.3, there aren't even that many hosting providers that you can load 3.x on.



Chris

[foxp2]

woua, that's such a positive back !
finally i get tired of reading the old same refrains about oscom 3 ... [img]http://forums.oscommerce.com//public/style_emoticons/default/sick.gif[/img]

[Harald Ponce de Leon]

Hi All..

I've only taken a quick look at the source code of the add-on and am impressed by how it self-installs itself from just one php file ... BUT it modifies core files and encourage others NOT to follow this style of procedure for other add-ons. The authentication level in the framework is not yet modularized which is why Swekey took a more hardcore approach with their add-on.

I will be contacting Swekey soon to help with further development of the add-on and getting the modular authentication level in place. I find what they have so far done to be really awesome and anticipate having official add-ons other developers can learn from.

Kind regards,

[GemRock]

i guess this is the so-called 'one-off password'? if so, i dont think i want one as i already get 4 of those from my banks, all of which are free. you still need to remember your passwords to use these devices though. for innovation, i rather like to see a system which would send me a oneoff passcode to my mobile/cell phone every time i, or even a hacker, try to login. the phone number would be a variable hardcoded in the php file, instead of storing in the db. before that happens, how about using a dedicated IP (from your internet provider) to kick out everyone but you, if you are so concerned about admin security?
ken

[foxp2]

GemRock, on 26 November 2011 - 10:17 AM, said:

how about using a dedicated IP (from your internet provider) to kick out everyone but you,
ken

my personnal and very light protection :

in static method hasAccess (file osCommerce\OM\Core\Site\Admin\Controller.php) i've added :

		if($_SERVER['REMOTE_ADDR']  !== '000.000.000'){
		  OSCOM::redirect('http://www.google.com');
		}

but a spoofing attack is always possible ... a protection by IP is a poor solution. but it works :

http://shop.echoscystem.com/oscom3/index.php?Admin

Edited by Jan Zonjee, 26 November 2011 - 01:01 PM.

[GemRock]

'a protection by IP is a poor solution'? you would need to be a bit of 'rich' to afford a dedicated IP[img]http://forums.oscommerce.com//public/style_emoticons/default/smile.png[/img]
when i first suggested using this 'poor' IP protection a while back some where else on the forums, i also suggested running a oneoff code to write a cookie w/o expiry on the pc that access admin, then when logging in, read that cookie to see whether it exists. if not, you know how to deal with it, eg, direct it to a toilet.[img]http://forums.oscommerce.com//public/style_emoticons/default/laugh.png[/img]

RE 'spoofing': how anyone else knows your ip? is it you are the hacker's friend? or you are so willing to accept hackers invitions to visit their website and filling in forms supplying your website url thinking you would get some big rewards from them?
ken

ps: this 'new' version of ipborad doesnt seem to like or understand smiley??

Edited by GemRock, 26 November 2011 - 02:58 PM.

[Taipo]

HTACCESS LIMIT directive bypassing was the common method of accessing banned directories where the LIMIT directive is used to ban all and allow from a specified IP address.

This is still possible today because of the sheer amount of Apache servers running that are not up to date and due to the fact that while this issue was known about for over a decade, it was not fixed until very recently.

Typically the LIMIT directive is used as:

<Limit GET POST>
order deny,allow
deny from all
allow from 127.0.0.1
</Limit>

However unpatched versions of Apache do silly things when a request is made where the 'request type' has been spoofed (not the remote ip).

Example of a correct request to an admin directory:

GET /admin HTTP/1.1
Accept: */*
Host: www.somesite.com

Would result in a 403 access denied server response if the LIMIT example above was set up in the htaccess file.

However the request method can be spoofed as below:

ATTACK /admin HTTP/1.1
Accept: */*
Host: www.somesite.com

In this example using ATTACK as the request type, the out of date Apaches LIMIT directive sees that 'ATTACK' is not on the ban list of GET and POST so it allows it through.

But the out of date version of Apache, in not having ATTACK as one of its request methods, converts the ATTACK request type to GET instead of banning the request.

The end result is that the request is successful thus bypassing the LIMIT directive allowing any IP address access to that directory.

The safety mechanism is LimitExcept (example below)

<LimitExcept GET POST HEAD OPTIONS>
		   Deny from all
</LimitExcept>

Setting that at the top of the root htaccess file will restrict all request types right from the start at which point directives like LIMIT can be used safely.