Is this login script I wrote secure.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
adamduren
Forum Newbie
Posts: 5
Joined: Wed Jul 27, 2005 2:43 pm

Is this login script I wrote secure.

Post by adamduren »

I was wondering if this script was secure?

#index.php

Code: Select all

<?php
include(\"verify.php\");
?>
__________________________

#verify.php

Code: Select all

<?php
session_start();

if ($_SESSION['admin'] != 1)
{
    function validate($user, $password)
    {
        $list = file('passwd.txt');
        $key = 0;
        foreach ($list as $search)
        {
            $data = explode(\":\", $search);
            if (in_array($user, $data))
            { 
                break;       
            }
            $key++;
        }

        if (array_key_exists($key, $list))
        {  
            $userList = $data[0];
            $salt = $data[1];
	    $hash = trim($data[2]);
            $password = sha1($salt . $password);
            if ($hash == $password)
            {
                $_SESSION['admin'] = '1';
                header(\"Location: /\");
            } else {
                $_SESSION['errorlevel'] = 2;
                header(\"Location: /\");
            }
        } else {
            $_SESSION['errorlevel'] = 1;
            header(\"Location: /\");
        }
    }

    if (isset($_POST['username']) && isset($_POST['password']))
    {
        validate($_POST['username'], $_POST['password']);
    } else {
    include('login.php');
    }

} else {

    if ($_GET['logout'] == 1)
    {
       include(\"logout.php\");
       header(\"Location: /\");
    } else {
        print(\"Logged in<br>\");
        print(\"<a href=\\"/?logout=1\\">Log Out</a>\");
    }
}
?>
_____________________

#login.php

Code: Select all

<html>
  <head>
    <title>
    Log In
    </title>
  </head>
  <body>
<?php
switch ($_SESSION['errorlevel']) {
case 1:
    print(\"Invalid Username. Please try again.\");
    break;
case 2:
    print(\"Invalid Password. Please try again.\");
    break;
default:
    print(\"Please type a username and a password.\");
    break;
}
?>
    <form name=login action=\"index.php\" method=\"POST\">
      Username: 
      <input type=\"text\" name=\"username\">
      <br>
      Password: 
      <input type=\"password\" name=\"password\">
      <input type=\"submit\" value=\"Log-In\">
    </form>
  </body>
</html>
______________________________

#logout.php

Code: Select all

<?php
session_destroy();
?>
_______________________________

#passwd.txt
admin:a5c654594:653hjdayu252c996bd6fdda43afe63ba189er354

JCART | Please use

Code: Select all

tags when posting php code. Review [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

No. Issues:

1. Cleartext transmission of password is insecure. Use client-side hashing.
2. SHA1 has weaknesses. Technically, it probably isn't a sufficient break to impact hash/login checks, but for an ideal 'secure' solution, might as well use sha256.
3. Presumes security of file (passwd.txt) potentially on shared host - be very certain that filesystem security is strong.
4. Assumes register_globals is off. If they aren't, the user can override $_GET['admin'] = 1, which will set $_SESSION['admin'] =1, which isn't set to a default value. Same for several other variables in the script.
5. Session should be regenerated upon login
6. The method for generating the salt isn't specified - it may be predictable

There may be more.. those just screamed out.
adamduren
Forum Newbie
Posts: 5
Joined: Wed Jul 27, 2005 2:43 pm

Post by adamduren »

Can you further explain the coding process and the salt generation is secure.
adamduren
Forum Newbie
Posts: 5
Joined: Wed Jul 27, 2005 2:43 pm

Post by adamduren »

how can you use sha256 in php5.0.4
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

adamduren wrote:how can you use sha256 in php5.0.4
viewtopic.php?t=31069
adamduren
Forum Newbie
Posts: 5
Joined: Wed Jul 27, 2005 2:43 pm

Post by adamduren »

how can you add sha256 to the global function lists. so i can just do

<?php
sha256::message
?>

withough having to do includes?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

adamduren wrote:how can you add sha256 to the global function lists. so i can just do

<?php
sha256::message
?>

withough having to do includes?
Copy and paste the entire file into the same file (verify.php). Otherwise, use includes.
adamduren wrote:Can you further explain the coding process and the salt generation is secure.
I don't understand what you mean here. What would you like me to explain further?
adamduren
Forum Newbie
Posts: 5
Joined: Wed Jul 27, 2005 2:43 pm

Post by adamduren »

Can you rewrite the code because i really dont get what your messages apout client side and stuff mean.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

adamduren wrote:Can you rewrite the code because i really dont get what your messages apout client side and stuff mean.
Sorry, no.

I'll answer the questions however.

Client side means use javascript to change the password to a hash before sending them to the server (to the php page). If you use a password field, and don't use javascript to hash them before sending, you are sending the password in cleartext. This means that an attacker can "Sniff" the network, and see the password go by.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Aw, be nice on him. Here's a link to some BSD javascript code that does this: http://pajhome.org.uk/crypt/md5/auth.html
stukov
Forum Commoner
Posts: 26
Joined: Sun Jul 24, 2005 2:16 pm
Location: Sherbrooke, Qc, Canada

Post by stukov »

About clientside scripting: what if the client disabled javascript?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

stukov wrote:About clientside scripting: what if the client disabled javascript?
Depends on the site. If security is important enough, disallow the login.

If security isn't as important, then allow them to login, but inform them that their login was insecure, and that they should enable javascript to protect themselves.
n0p
Forum Newbie
Posts: 1
Joined: Fri Jul 29, 2005 7:44 am

Re: Is this login script I wrote secure.

Post by n0p »

adamduren wrote:#login.php
-- cut --

Code: Select all

switch ($_SESSION['errorlevel']) {
case 1:
    print("Invalid Username. Please try again.");
    break;
case 2:
    print("Invalid Password. Please try again.");
    break;
default:
    print("Please type a username and a password.");
    break;
}
-- cut --
BTW: Best security practices say you should not inform the unauthenticated user the exact reason for the failure as this would inform an attacker they have a valid username and just need to discover a valid password.
Post Reply