Monthly Archives: August 2010

Math Comment Spam Protection – Token Reuse

30 Aug 2010

On 14 August 2010 I discovered a vulnerability in the Math Comment Spam Protection plugin by Michael Wöhrer. The plug-in suffers from a flaw in which the same token can be replayed until it is up to a day old (since the date is included) allowing spam to be automated by solving a single CAPTCHA per day. A reasonable amount of time to fix has had been set at two weeks before public disclosure. I attempted to contact the vendor twice: once via his site and began the week after via e-mail.

The vulnerability lies in the function below:

function MathCheck_Aux_GenerateHash($inputstring, $day, $unique) {
 // If using WordPress: many people have defined a WP_SECRET sting in
 // wp-config.php, so we add it if it exists
 if ( defined('WP_SECRET') )
 $inputstring .= WP_SECRET;
 // Adds the file modification time of this file
 $inputstring .= filemtime(__FILE__);
 // Adds a unique value
 $inputstring .= $unique;
 // Add the IP address of the server under which the current script is executing.
 $inputstring .= getenv('SERVER_ADDR');
 // Add date
 $inputstring .= $day . date('ny');
 // Get MD5 and reverse it
 $enc = strrev(md5($inputstring));
 // Get only a few chars out of the string
 $enc = substr($enc, 28, 1) . substr($enc, 9, 1) . substr($enc, 21, 1)
 . substr($enc, 15, 1) . substr($enc, 7, 1);
 // Return result
 return $enc;
}

Risk assessment:

A simple text-based maths CAPTCHA such as this would not resist an automated attack anyway due to being so simple to script. So this CAPTCHA will still provide protection against bots that are not coded specifically for this plug-in, by using obfuscation rather than any solid security mechanism.

You Don’t Need Server Gated Cryptography

21 Aug 2010

Server Gated Cryptography (SGC) was created because of United States legislation on the export of cryptography in the 1990s. SGC allows very old browsers to use 128bit encryption where they’d normally use 40bit.

Verisign offers a SGC certificate for US $995 per year, so is it really worth it? I’ve been asked by a few eCommerce businesses why I haven’t opted for a SGC certificate for them, last week was no exception although these aren’t that frequent as this post makes it out to be. Hopefully in the future I can point someone here. :)

1. Browsers that support them have major security flaws:

  • Internet Explorer export browser versions from 3.02 but before version 5.5
  • Netscape export browser versions after 4.02 and up through 4.72
  • Windows 2000 systems shipped prior to March 2001 that have not downloaded Microsoft’s High Encryption Pack or Service Pack 2 and that use Internet Explorer

N.B. Internet Explorer browser versions prior to 3.02 and Netscape browser versions prior to 4.02 are not capable of 128-bit encryption with any SSL Certificate.

2. You can force SSL/TLS to require certain ciphers.

See these?
DHE_RSA_WITH_DES_CBC_SHA
RSA_WITH_DES_CBC_SHA
RSA_EXPORT_WITH_DES40_CBC_SHA
RSA_EXPORT_WITH_RC2_CBC_40_MD5
RSA_EXPORT_WITH_RC4_40_MD5
RC4_128_EXPORT40_WITH_MD5
RC2_128_CBC_EXPORT40_WITH_MD5
DES_64_CBC_WITH_MD5
Get rid of them and no one will be able to use bad crypto with your servers.

3. Those browsers don’t support most web technologies

Are you going to spend the effort creating an alternate site for the already insecure users who can’t browser your current site? Didn’t think so.

4. Are people with a badly outdated machine going to purchase anything from you?

So is the rare person (you’d need alot of site traffic, statistically speaking, to have a visitor that have a browser that old) with a machine 12+ years old going to purchase something that is going to make the $995 a year worth it? Are you running a software company and your software only runs on Windows 2000 SP4+ and the rest of the NT line up to Windows 7?

5. They cost much more

You can get an EV certificate for a tenth of the price of a SGC standard certificate if you know where to look. Is it really worth going with a SGC cert just to “secure” users who can’t navigate your site anyway?

6. They don’t make normal users any more secure

In fact browsers today can’t even use the flawed SSL2.

Just a tip: sometimes I come across someone asking if EV certificates support SGC, and yes some do.

Cheers,

Steve

WordPress, Permalinks and Infinite Redirects

17 Aug 2010

While setting up my new site, I was testing out the nav menu, however /presentations/ and /documents/ looped without an end. It should be noted that directories with the same name existed as the page slugs (permalinks). So after changing the .htaccess to include the rewrite even if a directory exists.

#RewriteCond %{REQUEST_FILENAME} !-d

After inspecting the headers being sent I saw:

Location: presentations/
Location: presentations
Location: presentations/
Location: presentations
Location: presentations/
Location: presentations
Location: presentations/
Location: presentations
Location: presentations/
Location: presentations
Location: presentations/
Location: presentations

So after pages of irreverent Google results I came across a solution.

Solution: Add a trailing slash at the end of the permalink.

And so the problem was solved. :)