2019-10-27 - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem

Header Data

From: Tim <ti***8@gmail.com>
Message Hash: 2dacd59a76ff4f234cc2edd72e2457d4af44b41e7a3ae13a4403dd91b8e2365d
Message ID: <CAESLx0KdyCOCsY1tEqPoYFBRDsEf=8hfCQ3srGNLbm9v9ZRwVA@mail.gmail.com>
Reply To: <CAFb3bYBh0HKzr_UWCbJrU1R+ArebQ_bkpz6P_LRLWz4FHhpBKw@mail.gmail.com>
UTC Datetime: 2019-10-27 14:35:26 UTC
Raw Date: Mon, 28 Oct 2019 07:35:26 +1000

Raw message 

Hi Sergen

Just to add clarification. The nojs login method is insecure. Currently, it
submits the username, password, and challenge (which it got at page load)
to a PHP script, that does the challenge-response calculation, and then
redirects to the actual login url with that challenge-response. This is all
done in plain text, over what is most likely an open wifi network, allowing
anyone to sniff the login packets getting the username and password.

There are 2 modern ways to do this. The first is the JS login method, which
does the challenge and response in the browser, and never sends the
password over the insecure network. This is currently how the Grase Hotspot
works in the latest versions. The second way of doing this is with a normal
username/password login, over HTTPS (SSL), to ensure that the password is
transmitted securely. This isn't currently practical for hotspot operators
without significantly more setup to get a domain name registered and
working, as well as purchasing an SSL certificate for that domain name.
(Letsencrypt would be great if we could use that, but that would require
our hotspot portal to be public facing on the internet).

For now, we'll continue using JS logins to secure things, and in the
future, if we have a hosted service we may consider the HTTPS method.

I understand some people don't like the idea of a login that requires JS,
but the reality is that 99% of devices connecting through these hotspots
will support JS, otherwise their use of the internet would be highly
degraded. 10 years ago when this project was just starting, the internet
was a very different place, which is why the nojs login existed.

Regards

Tim

On Tue, 22 Oct 2019 at 19:11, Sergen Çolak <se***7@gmail.com> wrote:

> Hello Emre,
> I understand what you mean, but I think it would have a side effect, so if
> you're wrong, I'd like you to warn me. When I logoff, the page will be
> refreshed and the guest may interrupt when logging in.
>
> That's how I solved the problem. I'm reading the challenge value with
> jquery on 192.168.80.1/json/status. I am renewing challenge input values
> with Setinterval. Seems to be running smoothly. But I don't know if it has
> any side effects. I'm in observation.
> Thank you for your help.
>
> emre erdoğan <po***e@gmail.com>, 22 Eki 2019 Sal, 11:19 tarihinde şunu
> yazdı:
>
>> Hi Sergen
>>
>> You are right. http://1.0.0.0 didn't change the challenge value. But you
>> may try http://192.168.80.1:3990/json/logoff
>> <http://10.1.0.1:3990/json/logoff>
>>
>> Coova chilli has a session timeout and in this period it doesn't change
>> "challenge" value. If you call chilli logout page (may be with an iframe)
>> before redirect to login page, user's sesion will be completely reseted.
>>
>> Tim knows the best about its side effects. This is only a theory for your
>> timeout and challenge value problems.
>>
>> Good days...
>>
>>
>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 15:11 tarihinde
>> şunu yazdı:
>>
>>> Yes, but Grase does not. URL And Form hidden input value does not
>>> change. The challenge values are always the same, but the nojslogin page
>>> can somehow get the transition. How do I make an adaptation like this
>>>
>>> emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:42 tarihinde
>>> şunu yazdı:
>>>
>>>> If there is a security issue as Tim mentioned before, than it is better
>>>> to not to change any challenge value.
>>>>
>>>> I thought the problem could be solved with a simple redirect. If the
>>>> user is directed to http://1.0.0.0 with a meta refresh every 10 or 20
>>>> seconds, we can always have a new challenge value.
>>>>
>>>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 14:30
>>>> tarihinde şunu yazdı:
>>>>
>>>>> Hello again, Tim and Emre,
>>>>> Routing is working. Coming to the login screen. However, even if the
>>>>> challenge value has changed, I would like to grant access without affecting
>>>>> the user in any way.
>>>>>
>>>>> When I review the Grase Hotspot files. Form Action looks as
>>>>> nojslogin.php. The Challenge value in the Nojslogin file is getting POST.
>>>>> However, although the Challenge value hidden in Portal.tpl is not the same
>>>>> as the JSON values, it can get pass permission. I understand that a few
>>>>> more processes are going on in the background. How can I adapt this to
>>>>> myself? What should I watch out for? I use my form directly as a POST, not
>>>>> as an action.
>>>>>
>>>>> emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:24 tarihinde
>>>>> şunu yazdı:
>>>>>
>>>>>> Hi Sergen.
>>>>>>
>>>>>> Did you try to redirect to "http://1.0.0.0" by using meta refresh?
>>>>>>
>>>>>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 09:50
>>>>>> tarihinde şunu yazdı:
>>>>>>
>>>>>>> Thank you for your quick response, Tim.
>>>>>>> I don't use the Javascript page. I submit the HTML Page with the
>>>>>>> form. Then I take the required values and use a function as follows.
>>>>>>> function attempt_login () {
>>>>>>> global $ uamsecret, $ userpassword, $ username, $ password;
>>>>>>>
>>>>>>> $ hexchal = pack ("H32", $ _GET ['chal']);
>>>>>>> $ newchal = $ uamsecret? pack ("H *", md5 ($ hexchal. $ uamsecret)):
>>>>>>> $ hexchal;
>>>>>>> $ response = md5 ("\ 0". $ password. $ newchal);
>>>>>>>
>>>>>>> $ newpwd = pack ("a32", $ password);
>>>>>>> $ pappassword = implode ('', unpack ("H32", ($ newpwd ^ $ newchal)));
>>>>>>> if ((isset ($ uamsecret)) && isset ($ userpassword)) {
>>>>>>> // print implode ('', array (
>>>>>>> // '<meta http-equiv = "refresh" content = "0; url =',
>>>>>>> // 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>>>>>> // 'logon? username =', $ username, '& password =', $ pappassword,
>>>>>>> '">'
>>>>>>> //));
>>>>>>> }
>>>>>>> else
>>>>>>> {
>>>>>>> print implode ('', array (
>>>>>>> '<meta http-equiv = "refresh" content = "0; url =',
>>>>>>> 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>>>>>> 'logon? username =', $ username, '& response =', $ response, '">'
>>>>>>> ));
>>>>>>> }
>>>>>>> }
>>>>>>> Everything works correctly, but I'm guessing that if the Challenge
>>>>>>> value is changed in the GET operation, res = Failed is returned. How can I
>>>>>>> prevent this?
>>>>>>>
>>>>>>> Tim <ti***8@gmail.com>, 20 Eki 2019 Paz, 04:18 tarihinde şunu
>>>>>>> yazdı:
>>>>>>>
>>>>>>>> Hi Sergen
>>>>>>>>
>>>>>>>> Unfortunately, the challenge value will continue to change as time
>>>>>>>> goes on. This is to prevent replay attacks and other such things. However,
>>>>>>>> if you're using the JS login page, it should already be fetching a new
>>>>>>>> challenge before it submits the login attempt. Are you using the JS page,
>>>>>>>> or the plain text version?
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Tim
>>>>>>>>
>>>>>>>> On Sun, 20 Oct 2019 at 00:30, Sergen Çolak <se***7@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hello everybody,
>>>>>>>>> I have a question about Coovachilli. The link to the first time my
>>>>>>>>> PHP Page was loaded,
>>>>>>>>>
>>>>>>>>> http://192.168.80.1/admin/uam/hotspot?res=notyet&uamip=192.168.80.1&uamport=3990&challenge=8117e6bf4eb10d19edf8d47af8237bdd
>>>>>>>>> When I look at http://192.168.80.1:3990/json/status
>>>>>>>>> {"version": "1.0", "clientState": 0, "challenge":
>>>>>>>>> "8117e6bf4eb10d19edf8d47af8237bdd" ....
>>>>>>>>> The challenge value that appears in Json / status changes when I
>>>>>>>>> do not login for a certain time. And when I try to login, I get res =
>>>>>>>>> failed even though my username and password are correct. The Challenge
>>>>>>>>> mismatch in the Form, which appears to be exactly in Json. Can I prevent
>>>>>>>>> the challenge value from changing?
>>>>>>>>> Sorry for the bad English. Thank you.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>>>> http://grasehotspot.org
>>>>>>>>> ---
>>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>>> Groups "Grase Hotspot" group.
>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>>>>> To view this discussion on the web visit
>>>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org
>>>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>>>>> .
>>>>>>>>>
>>>>>>>> --
>>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>>> http://grasehotspot.org
>>>>>>>> ---
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "Grase Hotspot" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>>>> To view this discussion on the web visit
>>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com
>>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>>> .
>>>>>>>>
>>>>>>> --
>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>> http://grasehotspot.org
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "Grase Hotspot" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>>> To view this discussion on the web visit
>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com
>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>> --
>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>> http://grasehotspot.org
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Grase Hotspot" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com
>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***e@grasehotspot.org.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>>>> This mailing list is for the Grase Hotspot Project
>>>> http://grasehotspot.org
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to gr***e@grasehotspot.org.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGMbm%2BVASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q%40mail.gmail.com
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGMbm%2BVASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYDCRdFQJ8-tvSZCqMXDKLUasw9sDU9Fs%2BOZQH5xA5qnuA%40mail.gmail.com
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYDCRdFQJ8-tvSZCqMXDKLUasw9sDU9Fs%2BOZQH5xA5qnuA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMF%3D%3Dopg5fbaNnMFUoPFhM%3Dy%3DOkg3TOAsURcNF2CimZRkw%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMF%3D%3Dopg5fbaNnMFUoPFhM%3Dy%3DOkg3TOAsURcNF2CimZRkw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYBh0HKzr_UWCbJrU1R%2BArebQ_bkpz6P_LRLWz4FHhpBKw%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYBh0HKzr_UWCbJrU1R%2BArebQ_bkpz6P_LRLWz4FHhpBKw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread