2019-10-21 - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem
Header Data
From: Sergen Çolak <se***7@gmail.com>
Message Hash: 4ed9358682abad0f771a3f6f744c376d464acc34cc6e7f24375ca71ae60b2013
Message ID: <CAFb3bYDCRdFQJ8-tvSZCqMXDKLUasw9sDU9Fs+OZQH5xA5qnuA@mail.gmail.com>
Reply To: <CADDedMGMbm+VASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q@mail.gmail.com>
UTC Datetime: 2019-10-21 05:11:26 UTC
Raw Date: Mon, 21 Oct 2019 15:11:26 +0300
Raw message
Yes, but Grase does not. URL And Form hidden input value does not change.
The challenge values are always the same, but the nojslogin page can
somehow get the transition. How do I make an adaptation like this
emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:42 tarihinde şunu
yazdı:
> If there is a security issue as Tim mentioned before, than it is better to
> not to change any challenge value.
>
> I thought the problem could be solved with a simple redirect. If the user
> is directed to http://1.0.0.0 with a meta refresh every 10 or 20 seconds,
> we can always have a new challenge value.
>
> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 14:30 tarihinde
> şunu yazdı:
>
>> Hello again, Tim and Emre,
>> Routing is working. Coming to the login screen. However, even if the
>> challenge value has changed, I would like to grant access without affecting
>> the user in any way.
>>
>> When I review the Grase Hotspot files. Form Action looks as
>> nojslogin.php. The Challenge value in the Nojslogin file is getting POST.
>> However, although the Challenge value hidden in Portal.tpl is not the same
>> as the JSON values, it can get pass permission. I understand that a few
>> more processes are going on in the background. How can I adapt this to
>> myself? What should I watch out for? I use my form directly as a POST, not
>> as an action.
>>
>> emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:24 tarihinde
>> şunu yazdı:
>>
>>> Hi Sergen.
>>>
>>> Did you try to redirect to "http://1.0.0.0" by using meta refresh?
>>>
>>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 09:50
>>> tarihinde şunu yazdı:
>>>
>>>> Thank you for your quick response, Tim.
>>>> I don't use the Javascript page. I submit the HTML Page with the form.
>>>> Then I take the required values and use a function as follows.
>>>> function attempt_login () {
>>>> global $ uamsecret, $ userpassword, $ username, $ password;
>>>>
>>>> $ hexchal = pack ("H32", $ _GET ['chal']);
>>>> $ newchal = $ uamsecret? pack ("H *", md5 ($ hexchal. $ uamsecret)): $
>>>> hexchal;
>>>> $ response = md5 ("\ 0". $ password. $ newchal);
>>>>
>>>> $ newpwd = pack ("a32", $ password);
>>>> $ pappassword = implode ('', unpack ("H32", ($ newpwd ^ $ newchal)));
>>>> if ((isset ($ uamsecret)) && isset ($ userpassword)) {
>>>> // print implode ('', array (
>>>> // '<meta http-equiv = "refresh" content = "0; url =',
>>>> // 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>>> // 'logon? username =', $ username, '& password =', $ pappassword, '">'
>>>> //));
>>>> }
>>>> else
>>>> {
>>>> print implode ('', array (
>>>> '<meta http-equiv = "refresh" content = "0; url =',
>>>> 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>>> 'logon? username =', $ username, '& response =', $ response, '">'
>>>> ));
>>>> }
>>>> }
>>>> Everything works correctly, but I'm guessing that if the Challenge
>>>> value is changed in the GET operation, res = Failed is returned. How can I
>>>> prevent this?
>>>>
>>>> Tim <ti***8@gmail.com>, 20 Eki 2019 Paz, 04:18 tarihinde şunu
>>>> yazdı:
>>>>
>>>>> Hi Sergen
>>>>>
>>>>> Unfortunately, the challenge value will continue to change as time
>>>>> goes on. This is to prevent replay attacks and other such things. However,
>>>>> if you're using the JS login page, it should already be fetching a new
>>>>> challenge before it submits the login attempt. Are you using the JS page,
>>>>> or the plain text version?
>>>>>
>>>>> Regards
>>>>>
>>>>> Tim
>>>>>
>>>>> On Sun, 20 Oct 2019 at 00:30, Sergen Çolak <se***7@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello everybody,
>>>>>> I have a question about Coovachilli. The link to the first time my
>>>>>> PHP Page was loaded,
>>>>>>
>>>>>> http://192.168.80.1/admin/uam/hotspot?res=notyet&uamip=192.168.80.1&uamport=3990&challenge=8117e6bf4eb10d19edf8d47af8237bdd
>>>>>> When I look at http://192.168.80.1:3990/json/status
>>>>>> {"version": "1.0", "clientState": 0, "challenge":
>>>>>> "8117e6bf4eb10d19edf8d47af8237bdd" ....
>>>>>> The challenge value that appears in Json / status changes when I do
>>>>>> not login for a certain time. And when I try to login, I get res = failed
>>>>>> even though my username and password are correct. The Challenge mismatch in
>>>>>> the Form, which appears to be exactly in Json. Can I prevent the challenge
>>>>>> value from changing?
>>>>>> Sorry for the bad English. Thank you.
>>>>>>
>>>>>> --
>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>> http://grasehotspot.org
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Grase Hotspot" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org
>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***e@grasehotspot.org.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>>>> This mailing list is for the Grase Hotspot Project
>>>> http://grasehotspot.org
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to gr***e@grasehotspot.org.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGMbm%2BVASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGMbm%2BVASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
Thread
-
Return to October 2019
- Return to “emre erdoğan <po***e@gmail.com>”
- Return to “Sergen Çolak <se***7@gmail.com>”
-
Return to “Tim <ti***8@gmail.com>”
- 2019-10-19 (Sat, 19 Oct 2019 07:30:12 -0700) - CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-19 (Sun, 20 Oct 2019 11:18:39 +1000) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Tim <ti***8@gmail.com>
- 2019-10-20 (Mon, 21 Oct 2019 09:50:37 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-21 (Mon, 21 Oct 2019 14:24:17 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - emre erdoğan <po***e@gmail.com>
- 2019-10-21 (Mon, 21 Oct 2019 14:30:05 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-21 (Mon, 21 Oct 2019 14:42:04 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - emre erdoğan <po***e@gmail.com>
- 2019-10-21 (Mon, 21 Oct 2019 15:11:26 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-22 (Tue, 22 Oct 2019 11:18:27 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - emre erdoğan <po***e@gmail.com>
- 2019-10-22 (Tue, 22 Oct 2019 12:10:55 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-27 (Mon, 28 Oct 2019 07:35:26 +1000) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Tim <ti***8@gmail.com>
- 2019-10-22 (Tue, 22 Oct 2019 12:10:55 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-22 (Tue, 22 Oct 2019 11:18:27 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - emre erdoğan <po***e@gmail.com>
- 2019-10-21 (Mon, 21 Oct 2019 15:11:26 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-21 (Mon, 21 Oct 2019 14:42:04 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - emre erdoğan <po***e@gmail.com>
- 2019-10-21 (Mon, 21 Oct 2019 14:30:05 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-21 (Mon, 21 Oct 2019 14:24:17 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - emre erdoğan <po***e@gmail.com>
- 2019-10-20 (Mon, 21 Oct 2019 09:50:37 +0300) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Sergen Çolak <se***7@gmail.com>
- 2019-10-19 (Sun, 20 Oct 2019 11:18:39 +1000) - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem - Tim <ti***8@gmail.com>