2019-10-22 - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem

Header Data

From: Sergen Çolak <se***7@gmail.com>
Message Hash: 2256d655784014ed43d568ec44b7cff5f8bd6c0c331220132d65ba9c3e2e24f7
Message ID: <CAFb3bYBh0HKzr_UWCbJrU1R+ArebQ_bkpz6P_LRLWz4FHhpBKw@mail.gmail.com>
Reply To: <CADDedMF==opg5fbaNnMFUoPFhM=y=Okg3TOAsURcNF2CimZRkw@mail.gmail.com>
UTC Datetime: 2019-10-22 02:10:55 UTC
Raw Date: Tue, 22 Oct 2019 12:10:55 +0300

Raw message 

Hello Emre,
I understand what you mean, but I think it would have a side effect, so if
you're wrong, I'd like you to warn me. When I logoff, the page will be
refreshed and the guest may interrupt when logging in.

That's how I solved the problem. I'm reading the challenge value with
jquery on 192.168.80.1/json/status. I am renewing challenge input values
with Setinterval. Seems to be running smoothly. But I don't know if it has
any side effects. I'm in observation.
Thank you for your help.

emre erdoğan <po***e@gmail.com>, 22 Eki 2019 Sal, 11:19 tarihinde şunu
yazdı:

> Hi Sergen
>
> You are right. http://1.0.0.0 didn't change the challenge value. But you
> may try http://192.168.80.1:3990/json/logoff
> <http://10.1.0.1:3990/json/logoff>
>
> Coova chilli has a session timeout and in this period it doesn't change
> "challenge" value. If you call chilli logout page (may be with an iframe)
> before redirect to login page, user's sesion will be completely reseted.
>
> Tim knows the best about its side effects. This is only a theory for your
> timeout and challenge value problems.
>
> Good days...
>
>
> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 15:11 tarihinde
> şunu yazdı:
>
>> Yes, but Grase does not. URL And Form hidden input value does not change.
>> The challenge values are always the same, but the nojslogin page can
>> somehow get the transition. How do I make an adaptation like this
>>
>> emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:42 tarihinde
>> şunu yazdı:
>>
>>> If there is a security issue as Tim mentioned before, than it is better
>>> to not to change any challenge value.
>>>
>>> I thought the problem could be solved with a simple redirect. If the
>>> user is directed to http://1.0.0.0 with a meta refresh every 10 or 20
>>> seconds, we can always have a new challenge value.
>>>
>>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 14:30
>>> tarihinde şunu yazdı:
>>>
>>>> Hello again, Tim and Emre,
>>>> Routing is working. Coming to the login screen. However, even if the
>>>> challenge value has changed, I would like to grant access without affecting
>>>> the user in any way.
>>>>
>>>> When I review the Grase Hotspot files. Form Action looks as
>>>> nojslogin.php. The Challenge value in the Nojslogin file is getting POST.
>>>> However, although the Challenge value hidden in Portal.tpl is not the same
>>>> as the JSON values, it can get pass permission. I understand that a few
>>>> more processes are going on in the background. How can I adapt this to
>>>> myself? What should I watch out for? I use my form directly as a POST, not
>>>> as an action.
>>>>
>>>> emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:24 tarihinde
>>>> şunu yazdı:
>>>>
>>>>> Hi Sergen.
>>>>>
>>>>> Did you try to redirect to "http://1.0.0.0" by using meta refresh?
>>>>>
>>>>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 09:50
>>>>> tarihinde şunu yazdı:
>>>>>
>>>>>> Thank you for your quick response, Tim.
>>>>>> I don't use the Javascript page. I submit the HTML Page with the
>>>>>> form. Then I take the required values and use a function as follows.
>>>>>> function attempt_login () {
>>>>>> global $ uamsecret, $ userpassword, $ username, $ password;
>>>>>>
>>>>>> $ hexchal = pack ("H32", $ _GET ['chal']);
>>>>>> $ newchal = $ uamsecret? pack ("H *", md5 ($ hexchal. $ uamsecret)):
>>>>>> $ hexchal;
>>>>>> $ response = md5 ("\ 0". $ password. $ newchal);
>>>>>>
>>>>>> $ newpwd = pack ("a32", $ password);
>>>>>> $ pappassword = implode ('', unpack ("H32", ($ newpwd ^ $ newchal)));
>>>>>> if ((isset ($ uamsecret)) && isset ($ userpassword)) {
>>>>>> // print implode ('', array (
>>>>>> // '<meta http-equiv = "refresh" content = "0; url =',
>>>>>> // 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>>>>> // 'logon? username =', $ username, '& password =', $ pappassword,
>>>>>> '">'
>>>>>> //));
>>>>>> }
>>>>>> else
>>>>>> {
>>>>>> print implode ('', array (
>>>>>> '<meta http-equiv = "refresh" content = "0; url =',
>>>>>> 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>>>>> 'logon? username =', $ username, '& response =', $ response, '">'
>>>>>> ));
>>>>>> }
>>>>>> }
>>>>>> Everything works correctly, but I'm guessing that if the Challenge
>>>>>> value is changed in the GET operation, res = Failed is returned. How can I
>>>>>> prevent this?
>>>>>>
>>>>>> Tim <ti***8@gmail.com>, 20 Eki 2019 Paz, 04:18 tarihinde şunu
>>>>>> yazdı:
>>>>>>
>>>>>>> Hi Sergen
>>>>>>>
>>>>>>> Unfortunately, the challenge value will continue to change as time
>>>>>>> goes on. This is to prevent replay attacks and other such things. However,
>>>>>>> if you're using the JS login page, it should already be fetching a new
>>>>>>> challenge before it submits the login attempt. Are you using the JS page,
>>>>>>> or the plain text version?
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Tim
>>>>>>>
>>>>>>> On Sun, 20 Oct 2019 at 00:30, Sergen Çolak <se***7@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello everybody,
>>>>>>>> I have a question about Coovachilli. The link to the first time my
>>>>>>>> PHP Page was loaded,
>>>>>>>>
>>>>>>>> http://192.168.80.1/admin/uam/hotspot?res=notyet&uamip=192.168.80.1&uamport=3990&challenge=8117e6bf4eb10d19edf8d47af8237bdd
>>>>>>>> When I look at http://192.168.80.1:3990/json/status
>>>>>>>> {"version": "1.0", "clientState": 0, "challenge":
>>>>>>>> "8117e6bf4eb10d19edf8d47af8237bdd" ....
>>>>>>>> The challenge value that appears in Json / status changes when I do
>>>>>>>> not login for a certain time. And when I try to login, I get res = failed
>>>>>>>> even though my username and password are correct. The Challenge mismatch in
>>>>>>>> the Form, which appears to be exactly in Json. Can I prevent the challenge
>>>>>>>> value from changing?
>>>>>>>> Sorry for the bad English. Thank you.
>>>>>>>>
>>>>>>>> --
>>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>>> http://grasehotspot.org
>>>>>>>> ---
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "Grase Hotspot" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>>>> To view this discussion on the web visit
>>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org
>>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>>>> .
>>>>>>>>
>>>>>>> --
>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>> http://grasehotspot.org
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "Grase Hotspot" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>>> To view this discussion on the web visit
>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com
>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>> --
>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>> http://grasehotspot.org
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Grase Hotspot" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com
>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***e@grasehotspot.org.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>>>> This mailing list is for the Grase Hotspot Project
>>>> http://grasehotspot.org
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to gr***e@grasehotspot.org.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGMbm%2BVASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q%40mail.gmail.com
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGMbm%2BVASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYDCRdFQJ8-tvSZCqMXDKLUasw9sDU9Fs%2BOZQH5xA5qnuA%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYDCRdFQJ8-tvSZCqMXDKLUasw9sDU9Fs%2BOZQH5xA5qnuA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMF%3D%3Dopg5fbaNnMFUoPFhM%3Dy%3DOkg3TOAsURcNF2CimZRkw%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMF%3D%3Dopg5fbaNnMFUoPFhM%3Dy%3DOkg3TOAsURcNF2CimZRkw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread