2019-10-21 - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem

Header Data

From: emre erdoğan <po***e@gmail.com>
Message Hash: c4233e3ed774c6de2e768347ad47746dab8514b87968f5b08e45b61a02bd62d0
Message ID: <CADDedMGMbm+VASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q@mail.gmail.com>
Reply To: <CAFb3bYAqMkaaS_w+ghQATYDDBF_QwovEvpMx72hUx9FC79To4g@mail.gmail.com>
UTC Datetime: 2019-10-21 04:42:04 UTC
Raw Date: Mon, 21 Oct 2019 14:42:04 +0300

Raw message 

If there is a security issue as Tim mentioned before, than it is better to
not to change any challenge value.

I thought the problem could be solved with a simple redirect. If the user
is directed to http://1.0.0.0 with a meta refresh every 10 or 20 seconds,
we can always have a new challenge value.

Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 14:30 tarihinde
şunu yazdı:

> Hello again, Tim and Emre,
> Routing is working. Coming to the login screen. However, even if the
> challenge value has changed, I would like to grant access without affecting
> the user in any way.
>
> When I review the Grase Hotspot files. Form Action looks as nojslogin.php.
> The Challenge value in the Nojslogin file is getting POST. However,
> although the Challenge value hidden in Portal.tpl is not the same as the
> JSON values, it can get pass permission. I understand that a few more
> processes are going on in the background. How can I adapt this to myself?
> What should I watch out for? I use my form directly as a POST, not as an
> action.
>
> emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:24 tarihinde şunu
> yazdı:
>
>> Hi Sergen.
>>
>> Did you try to redirect to "http://1.0.0.0" by using meta refresh?
>>
>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 09:50 tarihinde
>> şunu yazdı:
>>
>>> Thank you for your quick response, Tim.
>>> I don't use the Javascript page. I submit the HTML Page with the form.
>>> Then I take the required values and use a function as follows.
>>> function attempt_login () {
>>> global $ uamsecret, $ userpassword, $ username, $ password;
>>>
>>> $ hexchal = pack ("H32", $ _GET ['chal']);
>>> $ newchal = $ uamsecret? pack ("H *", md5 ($ hexchal. $ uamsecret)): $
>>> hexchal;
>>> $ response = md5 ("\ 0". $ password. $ newchal);
>>>
>>> $ newpwd = pack ("a32", $ password);
>>> $ pappassword = implode ('', unpack ("H32", ($ newpwd ^ $ newchal)));
>>> if ((isset ($ uamsecret)) && isset ($ userpassword)) {
>>> // print implode ('', array (
>>> // '<meta http-equiv = "refresh" content = "0; url =',
>>> // 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>> // 'logon? username =', $ username, '& password =', $ pappassword, '">'
>>> //));
>>> }
>>> else
>>> {
>>> print implode ('', array (
>>> '<meta http-equiv = "refresh" content = "0; url =',
>>> 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>> 'logon? username =', $ username, '& response =', $ response, '">'
>>> ));
>>> }
>>> }
>>> Everything works correctly, but I'm guessing that if the Challenge value
>>> is changed in the GET operation, res = Failed is returned. How can I
>>> prevent this?
>>>
>>> Tim <ti***8@gmail.com>, 20 Eki 2019 Paz, 04:18 tarihinde şunu yazdı:
>>>
>>>> Hi Sergen
>>>>
>>>> Unfortunately, the challenge value will continue to change as time goes
>>>> on. This is to prevent replay attacks and other such things. However, if
>>>> you're using the JS login page, it should already be fetching a new
>>>> challenge before it submits the login attempt. Are you using the JS page,
>>>> or the plain text version?
>>>>
>>>> Regards
>>>>
>>>> Tim
>>>>
>>>> On Sun, 20 Oct 2019 at 00:30, Sergen Çolak <se***7@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello everybody,
>>>>> I have a question about Coovachilli. The link to the first time my PHP
>>>>> Page was loaded,
>>>>>
>>>>> http://192.168.80.1/admin/uam/hotspot?res=notyet&uamip=192.168.80.1&uamport=3990&challenge=8117e6bf4eb10d19edf8d47af8237bdd
>>>>> When I look at http://192.168.80.1:3990/json/status
>>>>> {"version": "1.0", "clientState": 0, "challenge":
>>>>> "8117e6bf4eb10d19edf8d47af8237bdd" ....
>>>>> The challenge value that appears in Json / status changes when I do
>>>>> not login for a certain time. And when I try to login, I get res = failed
>>>>> even though my username and password are correct. The Challenge mismatch in
>>>>> the Form, which appears to be exactly in Json. Can I prevent the challenge
>>>>> value from changing?
>>>>> Sorry for the bad English. Thank you.
>>>>>
>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***e@grasehotspot.org.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>>>> This mailing list is for the Grase Hotspot Project
>>>> http://grasehotspot.org
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to gr***e@grasehotspot.org.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread