-
Notifications
You must be signed in to change notification settings - Fork 452
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Manager and web: don't pass authenticator to account_finish.php #4092
base: master
Are you sure you want to change the base?
Conversation
If you attach to a project using the Manager, as a "new user", the Manager finishes the process by opening a browser window to account_finish.php on that project, which asks you for your name, country, and (optionally) postal code. It passes the authenticator to this script; this could be viewed as a security risk. I changed things so that: - the Manager doesn't pass the authenticator - account_finish.php asks you to log in (with email/passwd). Compatibility issues: Old manager, new project: no problem. User will see login form. New manager, old project: user will see confusing "no such user" message
I'm not sure this is worth doing. If a hacker could intercept the authenticator, they can intercept the email/password, and use that to get the authenticator. |
The risk is not the authenticator (or email/password) being intercepted. The risk is that the PHP script treats the authenticator as a full authentication token (i.e. grants full access to the users account). Thus if someone obtains someone else's authenticator, then they can use the account_finish.php to gain full access to the account. |
The login script (login_action.php) lets you use the authenticator in place of password. This serves two purposes: a) if a user has forgotten their password and their email addr no longer works, they can still log in; b) it lets project admins log in as a user, e.g. to debug problems. |
@davidpanderson, @TheAspens
|
We (Fitcrack developers) currently see similar issue - "no such account" as auth is empty string, somehow... When attaching to project, the account creation is broken on Windows. On Mac, no issues. Repro project url: https://live.fitcrack.cz/fitcrack |
I couldn't reproduce this; "new user" attach on Windows worked OK. |
My steps:
Windows 8.1, Boinc 7.20.2 Macbook M1 Pro with 7.20.2: No issues. |
Ah yeah, debugged it - this is related to special characters. Created: #5024 |
If you attach to a project using the Manager, as a "new user",
the Manager finishes the process by opening a browser window
to account_finish.php on that project,
which asks you for your name, country, and (optionally) postal code.
It passes the authenticator to this script;
this could be viewed as a security risk.
I changed things so that:
Compatibility issues:
Old manager, new project: no problem. User will see login form.
New manager, old project: user will see confusing "no such user" message