Page 1 of 1

Is this login script I wrote secure.

Posted: Wed Jul 27, 2005 2:47 pm
by adamduren
I was wondering if this script was secure?

#index.php

Code: Select all

<?php
include(\"verify.php\");
?>
__________________________

#verify.php

Code: Select all

<?php
session_start();

if ($_SESSION['admin'] != 1)
{
    function validate($user, $password)
    {
        $list = file('passwd.txt');
        $key = 0;
        foreach ($list as $search)
        {
            $data = explode(\":\", $search);
            if (in_array($user, $data))
            { 
                break;       
            }
            $key++;
        }

        if (array_key_exists($key, $list))
        {  
            $userList = $data[0];
            $salt = $data[1];
	    $hash = trim($data[2]);
            $password = sha1($salt . $password);
            if ($hash == $password)
            {
                $_SESSION['admin'] = '1';
                header(\"Location: /\");
            } else {
                $_SESSION['errorlevel'] = 2;
                header(\"Location: /\");
            }
        } else {
            $_SESSION['errorlevel'] = 1;
            header(\"Location: /\");
        }
    }

    if (isset($_POST['username']) && isset($_POST['password']))
    {
        validate($_POST['username'], $_POST['password']);
    } else {
    include('login.php');
    }

} else {

    if ($_GET['logout'] == 1)
    {
       include(\"logout.php\");
       header(\"Location: /\");
    } else {
        print(\"Logged in<br>\");
        print(\"<a href=\\"/?logout=1\\">Log Out</a>\");
    }
}
?>
_____________________

#login.php

Code: Select all

<html>
  <head>
    <title>
    Log In
    </title>
  </head>
  <body>
<?php
switch ($_SESSION['errorlevel']) {
case 1:
    print(\"Invalid Username. Please try again.\");
    break;
case 2:
    print(\"Invalid Password. Please try again.\");
    break;
default:
    print(\"Please type a username and a password.\");
    break;
}
?>
    <form name=login action=\"index.php\" method=\"POST\">
      Username: 
      <input type=\"text\" name=\"username\">
      <br>
      Password: 
      <input type=\"password\" name=\"password\">
      <input type=\"submit\" value=\"Log-In\">
    </form>
  </body>
</html>
______________________________

#logout.php

Code: Select all

<?php
session_destroy();
?>
_______________________________

#passwd.txt
admin:a5c654594:653hjdayu252c996bd6fdda43afe63ba189er354

JCART | Please use

Code: Select all

tags when posting php code. Review [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Posted: Wed Jul 27, 2005 3:18 pm
by Roja
No. Issues:

1. Cleartext transmission of password is insecure. Use client-side hashing.
2. SHA1 has weaknesses. Technically, it probably isn't a sufficient break to impact hash/login checks, but for an ideal 'secure' solution, might as well use sha256.
3. Presumes security of file (passwd.txt) potentially on shared host - be very certain that filesystem security is strong.
4. Assumes register_globals is off. If they aren't, the user can override $_GET['admin'] = 1, which will set $_SESSION['admin'] =1, which isn't set to a default value. Same for several other variables in the script.
5. Session should be regenerated upon login
6. The method for generating the salt isn't specified - it may be predictable

There may be more.. those just screamed out.

Posted: Wed Jul 27, 2005 3:34 pm
by adamduren
Can you further explain the coding process and the salt generation is secure.

Posted: Wed Jul 27, 2005 3:43 pm
by adamduren
how can you use sha256 in php5.0.4

Posted: Wed Jul 27, 2005 3:49 pm
by John Cartwright
adamduren wrote:how can you use sha256 in php5.0.4
viewtopic.php?t=31069

Posted: Wed Jul 27, 2005 4:24 pm
by adamduren
how can you add sha256 to the global function lists. so i can just do

<?php
sha256::message
?>

withough having to do includes?

Posted: Wed Jul 27, 2005 4:32 pm
by Roja
adamduren wrote:how can you add sha256 to the global function lists. so i can just do

<?php
sha256::message
?>

withough having to do includes?
Copy and paste the entire file into the same file (verify.php). Otherwise, use includes.
adamduren wrote:Can you further explain the coding process and the salt generation is secure.
I don't understand what you mean here. What would you like me to explain further?

Posted: Wed Jul 27, 2005 4:34 pm
by adamduren
Can you rewrite the code because i really dont get what your messages apout client side and stuff mean.

Posted: Wed Jul 27, 2005 4:45 pm
by Roja
adamduren wrote:Can you rewrite the code because i really dont get what your messages apout client side and stuff mean.
Sorry, no.

I'll answer the questions however.

Client side means use javascript to change the password to a hash before sending them to the server (to the php page). If you use a password field, and don't use javascript to hash them before sending, you are sending the password in cleartext. This means that an attacker can "Sniff" the network, and see the password go by.

Posted: Wed Jul 27, 2005 7:50 pm
by Ambush Commander
Aw, be nice on him. Here's a link to some BSD javascript code that does this: http://pajhome.org.uk/crypt/md5/auth.html

Posted: Wed Jul 27, 2005 8:39 pm
by stukov
About clientside scripting: what if the client disabled javascript?

Posted: Wed Jul 27, 2005 8:41 pm
by Roja
stukov wrote:About clientside scripting: what if the client disabled javascript?
Depends on the site. If security is important enough, disallow the login.

If security isn't as important, then allow them to login, but inform them that their login was insecure, and that they should enable javascript to protect themselves.

Re: Is this login script I wrote secure.

Posted: Fri Jul 29, 2005 7:55 am
by n0p
adamduren wrote:#login.php
-- cut --

Code: Select all

switch ($_SESSION['errorlevel']) {
case 1:
    print("Invalid Username. Please try again.");
    break;
case 2:
    print("Invalid Password. Please try again.");
    break;
default:
    print("Please type a username and a password.");
    break;
}
-- cut --
BTW: Best security practices say you should not inform the unauthenticated user the exact reason for the failure as this would inform an attacker they have a valid username and just need to discover a valid password.