Page 2 of 2

Posted: Wed Oct 29, 2003 11:37 am
by scorphus
hobu wrote:thank youuuuuuuuuuuuuuuuuuuuuu! it's working! :D
and the mistake was so simple as always.
That's nice!
hobu wrote:now this crypted password is sent with this hiddenfield but how can I get that the plain password won't be sent?
Glad you did it... Well, you could:

• Make the JavaScript to erase the password filed:

Code: Select all

function cryptData (formPtr) {
   formPtr.hiddenfield.value = hex_md5(formPtr.password.value);
   formPtr.password.value = '';
   formPtr.submit(); 
   return;
}
which I think is not the best choice (it's quite simple however).

• Use form1 to store the username and password (as it already does) and another form (say form2) with two hidden inputs that will hold the form1.username.value and the hash key of the form1.password.value and a submit button to send the form2 data to the server.

What you think?

Just curious, did you read volka's post and follow that link?

Cheers,
Scorphus.

Posted: Wed Oct 29, 2003 12:35 pm
by volka
why not setting the value of the password field directly skipping the hidden field?

Code: Select all

<html>
	<head>
		<title>password test</title>
		<script type="text/javascript">
			function enablePW()
			{
				obj = document.getElementById("pwfield");
				if (obj != null)
				{
					obj.disabled = false;
					obj.name = "password";
					
					obj = document.getElementById("divWarning");
					if (obj != null && obj.style != null)
						obj.style.display = "none";
					return true;
				}
				else
					return false;
			}
			
			function handlePassword()
			{
				obj = document.getElementById("pwfield");
				if (obj != null)
				{
					obj.value = "jabba jabba"; // or the md5 value 
					return true;
				}
				else
					return false;
			}
		</script>
	</head>
	<body>
		<fieldset><legend>POSTed values</legend>
			<pre><?php print_r(@$_POST); ?></pre>
		<fieldset>
	
		<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" onSubmit="handlePassword()">
			<input type="text" name="username" />username<br />
			<div id="divWarning" style="display: block">domhtml compatible javascript is mandatory</div>
			<input type="password" id="pwfield" disabled="disabled" value="" />password<br />
			<input type="submit" />
		</form>
		<script type="text/javascript">enablePW();</script>
	</body>
</html>
I wasn't quite sure javascript is allowed to touch a input-password element but it works with IE6 and mozilla 1.5.
One thing I also added is a kind of javascript-test. The whole thing doesn't work if javascript is either not available or disabled. So the password field is disabled by default (and does not have a name property -> isn't sent on submit)

Posted: Wed Oct 29, 2003 12:55 pm
by m3rajk
volka wrote: The whole thing doesn't work if javascript is either not available or disabled. So the password field is disabled by default (and does not have a name property -> isn't sent on submit)
between this and spoofing, why would one to client side processing? client side processing also gives away a bunch about the structure of the processing done. login processing client side is bscially giving hackers an instruction sheet on hacking into someone else's name

Posted: Wed Oct 29, 2003 1:10 pm
by volka
not in this case. No vital information about the processing is added, only some kind of security is added (above|to) the transport layer. That the password is checked server-side we already knew ;)

Posted: Wed Oct 29, 2003 1:16 pm
by m3rajk
when you know the encoding used, it's easier to write something to crack the pws.

Posted: Wed Oct 29, 2003 1:20 pm
by hobu
ok. now I missed the train a little :roll:
yes, I looked that link. The server in which my 'project' will be, supports (is this the right word..?) SSL too. But I'm stubborn and want to keep going :wink:

so I think I still try to do something with random value.

I will probably ask some stupid questions again pretty soon.

But thanks so far for helping little silly girl who wants to be big and smart :wink:

Posted: Wed Oct 29, 2003 1:23 pm
by m3rajk
np. actually php has an md5 hashing functions. suprisingly, you get it by going $variable2=MD5($variable1);
$variable1 is the unhased vlaute and $variable 2 is the hashed value. if you just wanna change variable 1, then, $variable=MD5($variable);

Posted: Wed Oct 29, 2003 1:26 pm
by volka
m3rajk: the task was "not to send the plain password over the network". That's what this is all about ;)

Posted: Wed Oct 29, 2003 1:37 pm
by scorphus
hobu wrote:ok. now I missed the train a little :roll:
yes, I looked that link. The server in which my 'project' will be, supports (is this the right word..?) SSL too. But I'm stubborn and want to keep going :wink:

so I think I still try to do something with random value.

I will probably ask some stupid questions again pretty soon.

But thanks so far for helping little silly girl who wants to be big and smart :wink:
You're welcome. Don't be afraid to ask if you need anything else. Here we're all apprentices ;)

See you around...

Regards,
Scorphus.

Posted: Wed Oct 29, 2003 2:55 pm
by hobu
I wrote something and of course it won't work. I marked the line which is wrong probably, but maybe you'll get an idea what I'm trying to do. Got the parts of this thing from different plasces and tried to put it all together :oops:

Code: Select all

<?php
<?php
 if(!isset($_POST['username'])&&!isset($_POST['password']))
 {
    //Visitor needs to enter a name and password

?>

<html>

<head>
<?php
 $_SESSION['random_number'] = rand();
 $randomstring = $_SESSION['random_number'];
 ?>
 <script language="JavaScript1.2" type="text/javascript" src="md5.js"></script>
<script language="JavaScript1.2" type="text/javascript">
<!--
function cryptData (formPtr) {
   formPtr.hiddenfield.value = hex_md5(hex_md5(formPtr.password.value) + formPtr.randomstring.value);
   formPtr.password.value = "";
   formPtr.submit();
   return;
}
//-->
</script>






   <h1>Please Log In</h1>
    This page is secret.
  <form name="form1" method="post" action="proov3.php"
  onSubmit="javascript:cryptData(this)">
     <table border="1">
    <tr>
      <th> Username </th>
      <td> <input type="text" name="username"> </td>
    </tr>
       <tr>
      <th> Password </th>
      <td> <input type="password" name="password"> </td>
      <input type='hidden' name='randomstring' value='".$_SESSION['random_number']."'>"  
      <td> <input type="hidden" name="hiddenfield"> </td>
    </tr>



           <tr>
      <td colspan="2" align="center">


 <input type="submit" name="login" value="Log In">
    </td>
    </tr>

    </table>
    </form>
  </head>

<body>

<?php
  }
  else
     echo '<pre>';
print_r($_POST);
echo '</pre>';

  {



    // connect to mysql
    $mysql = mysql_connect( 'localhost', 'bi', 'kr00ks' );
    if(!$mysql)
    {
      echo 'Cannot connect to database.';
      exit;
    }

    // select the appropriate database
    $mysql = mysql_select_db( 'bidb' );
    if(!$mysql)
    {
      echo 'Cannot select database.';
      exit;
    }
             $blah1= $_POST['username'];
        //$blah2= $_POST['hiddenfield'];

           // query the database to see if there is a record which matches

        $query = "select count(*) from User where
                 uname = '".$blah1."' and
                 '$_POST['hiddenfield']'=MD5(CONCAT(pword,$_SESSION['random_number']))";
    //echo $query;
    $result = mysql_query( $query);

    //echo $result;
    if(!$result)
    {
      echo 'Cannot run query.';
      exit;
    }


    $count = mysql_result( $result, 0, 0 );
    //echo $count;
    if ( $count > 0 ){ //on tuvastatud
      echo ' oled tuvastatud ';
      //kysime kasutajataseme

$query_level = "SELECT level FROM User WHERE
        uname = '".$plah1."'
        and pword = '".$plah2."'";//this I will change later when first one is alright


 $level_q = mysql_query( $query_level);


 $level = mysql_result($level_q,0,0);


        if ($level == 4){
          echo 'oled k6igest tavakasutaja';
        }
        elseif ($level == 1){
          echo 'oled age v6i hedi';
        }


        //if (
      // visitor's name and password combination are correct
      //echo '<h1>Here it is!</h1>';
      //echo 'ojee me ei olegi lootusetud ';

    }//ei ole tuvastatud
    else
    {
      // visitor's name and password combination are not correct
      echo '<h1>Go Away!</h1>';
      echo 'You are not authorized to view this resource.';
    }
  }
?>




</body>

</html>
?>

Posted: Wed Oct 29, 2003 3:04 pm
by volka
<input type='hidden' name='randomstring' value='".$_SESSION['random_number']."'>"
when the php syntax highlighter here assigns black to a code part it's outside a php-block
try

Code: Select all

<input type="hidden" name="randomstring" value="<?php echo $_SESSION['random_number']; ?>" />
instead

Posted: Thu Oct 30, 2003 2:47 am
by hobu

Code: Select all

<?php
$plah1= $_POST['username'];
$plah2= $_POST['hiddenfield'];
$query = "select count(*) from User where
                 uname = '".$plah1."' and
             '$_POST[hiddenfield]'=MD5(CONCAT(MD5(pword),$randomstring))";

?>
pword is password field name in my sql table. This query won't work. is it possible to use pword and $randomstring together that way?
when I printed out $query it looked like this:

Code: Select all

select count(*) from User where uname = 'secret' and 'ef697a82070746272697c2a220f29e6b'=MD5(CONCAT(MD5(pword),))
so it doesn't understand $randomstring although $randomstring is passed by form correctly.
changing $_POST['hiddenfield'] to '".$plah2."' didn't help either.

Posted: Thu Oct 30, 2003 5:23 am
by volka
<input type='hidden' name='randomstring' value='".$_SESSION['random_number']."'>"
$_POST['randomstring'] holds the randomstring, not $_POST['hiddenfield']

btw: if you've started the session (session_start()) the value should be stored in $_SESSION['random_number'] and there's no need to send it with the form anyway

and another thing
formPtr.hiddenfield.value = hex_md5(hex_md5(formPtr.password.value) + formPtr.randomstring.value)
are you sure you want to apply md5 two times there?

Posted: Thu Oct 30, 2003 7:06 am
by hobu
yes, I wanted to md5 two times in crypting function, but I did it also in wrong place too. In mysql query I had to remove one md5 because passwords are in database already md5'd.

well, now I got the result what I want, but is it actually smart way to handle this? I mean: to create a random value, add it to md5'd password and result again crypt with md5. Is it helping to make it more secure or I just waste my time and profs look and laugh quietly :wink: ?

and if server supports SSL and the page won't contain any life-or-death data, can it be that way (for a newbie :oops: )?

one thing I know now - this wasn't the most easiest problem to solve considering the fact, that I 'meet' php and javascript about a week ago:)

Posted: Thu Oct 30, 2003 8:58 am
by volka
I don't think that md5(md5(part1)+part2) improves security over md5(part1+part2).
The source "alphabet" is smaller since the result of md5 is limited to [0-9A-F] (only 16 characters). On the other hand it increases the string length to 32 characters (and how many users have passwords of that length ;) ) before applying the second md5().
All put together I think (and it's nothing more than a guess) you gain nothing but also loose nothing (save the script is more complex).
Sometimes it's dangerous to apply the same algorithm twice as it narrows possible results, sometimes it increases security (two-fish, triple-DES, ...)