Jump to content



Photo
- - - - -

css-tricks chat2 script

is it safe to use ?

This topic has been archived. This means that you cannot reply to this topic.
3 replies to this topic

#1   bruyndoncx

bruyndoncx

    osCommerce Teenager

  • Members
  • 3,459 posts

Posted 02 June 2012 - 19:36

I found
Chat2: Group Chat Room with PHP, jQuery, and a Text File


on the css tricks website
http://css-tricks.com/chat2/

and wondered if this is safe to use.

the script allows you to start chatting after choosing user name, my intention is to setup a chat room for each supported language.
Conversations are saved in a text file.

I looked at the different contributions but couldn't find any other one that is this simple.
I felt it would be easy to modify it and integrate it in the sidebar of a 2.3.1 installation.

Hava a nice day !
Carine Bruyndoncx

 

KEEP CALM AND CARRY ON

anyone else looking into material design (materializecss.com) ?


#2   kymation

kymation

    Code Monkey

  • Community Sponsor
  • 8,847 posts

Posted 02 June 2012 - 20:09

That page states that it has an unpatched security hole. It's a rather obvious one, so I don't think the designer knows much about security.

It stores chat data in a flat file, so that file must be writeable. I don't like using writeable files, particularly if they are where the user can discover them. Why not use the database?

An open chat room is inherently dangerous. It can be used for any purpose, including illegal transactions between users. Why do you want this, and does that justify the risk?

Regards
Jim

My Addons

Banners Box 2.3+ Support
Categories Accordion Box 2.3+ Support
Closest Shipper 2.2x Support
Document Manager 2.2x Support
Generic Box 2.3+ Support
Get 1 Free 2.2x & 2.3.x & BS Support Bootstrapped
Modular Front Page 2.3+ Support
Modular SEO Header Tags 2.3+ Support
Multi-Vendor Shipping (MVS) 2.2x & 2.3.x Support
PDF Datasheet 2.3+ Support
Price in Cart Only / MAPP 2.3+ Support
Price Updater 2.2x
Products Specifications 2.3.x Development Version Support Bugs/Suggestions
Request a Review All Versions Support
Shopping List 2.3+ Support !
Specials Image Overlay 2.3+ Support
Superfish Categories Box 2.3+ & BS Support Bootstrapped
Theme Switcher 2.3+ & BS Support  Bootstrapped


#3   bruyndoncx

bruyndoncx

    osCommerce Teenager

  • Members
  • 3,459 posts

Posted 02 June 2012 - 22:22

suppose the text files are in a .htaccess secured directory,
the update.php file is amended like suggested:
  //  CONSIDER THIS SECURITY MEASURE ON WHERE THE
  //  FILE CAN ONLY BE CALLED VIA AJAX AND FROM SPECIFIC LOCATIONS
  //
  // if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_REFERER']!="http://your-site.com/path/to/chat.js") {
  //   die();
  // }

Also, I'm puzled why the update logic is coded with a GET request, while the other ajax actions are done through POSTS.

Can you think of a reason why this is done, can't you do through POST anything you can do through GET (and more hidden variables ...) ?

I understand your point about openness, it could be an option to only allow it after registration on the site, but that would then create another barrier ...

Hava a nice day !
Carine Bruyndoncx

 

KEEP CALM AND CARRY ON

anyone else looking into material design (materializecss.com) ?


#4   kymation

kymation

    Code Monkey

  • Community Sponsor
  • 8,847 posts

Posted 02 June 2012 - 23:16

That doesn't look like much security. My browser is set to return HTTP_REFERER set to the current site, no matter what it is supposed to be. HTTP_X_REQUESTED_WITH is just another header field and can be altered by the sender as easily as HTTP_REFERER. Checking/scrubbing the data when it's received would be a better approach.

I have no idea why it's being sent as a GET. It's somewhat less secure that way. As I said, it doesn't look like security was a consideration in the design. Caveat emptor.

Regards
Jim

My Addons

Banners Box 2.3+ Support
Categories Accordion Box 2.3+ Support
Closest Shipper 2.2x Support
Document Manager 2.2x Support
Generic Box 2.3+ Support
Get 1 Free 2.2x & 2.3.x & BS Support Bootstrapped
Modular Front Page 2.3+ Support
Modular SEO Header Tags 2.3+ Support
Multi-Vendor Shipping (MVS) 2.2x & 2.3.x Support
PDF Datasheet 2.3+ Support
Price in Cart Only / MAPP 2.3+ Support
Price Updater 2.2x
Products Specifications 2.3.x Development Version Support Bugs/Suggestions
Request a Review All Versions Support
Shopping List 2.3+ Support !
Specials Image Overlay 2.3+ Support
Superfish Categories Box 2.3+ & BS Support Bootstrapped
Theme Switcher 2.3+ & BS Support  Bootstrapped