2019-10-22 - Re: [GRASE-Hotspot] CoovaChilli Challenge Parameters Problem

Header Data

From: emre erdoğan <po***e@gmail.com>
Message Hash: e76eee47649ccd779abbae6e3091159d5f2c1cbac910fcb18d404e9f6d9241ee
Message ID: <CADDedMF==opg5fbaNnMFUoPFhM=y=Okg3TOAsURcNF2CimZRkw@mail.gmail.com>
Reply To: <CAFb3bYDCRdFQJ8-tvSZCqMXDKLUasw9sDU9Fs+OZQH5xA5qnuA@mail.gmail.com>
UTC Datetime: 2019-10-22 01:18:27 UTC
Raw Date: Tue, 22 Oct 2019 11:18:27 +0300

Raw message 

Hi Sergen

You are right. http://1.0.0.0 didn't change the challenge value. But you
may try http://192.168.80.1:3990/json/logoff
<http://10.1.0.1:3990/json/logoff>

Coova chilli has a session timeout and in this period it doesn't change
"challenge" value. If you call chilli logout page (may be with an iframe)
before redirect to login page, user's sesion will be completely reseted.

Tim knows the best about its side effects. This is only a theory for your
timeout and challenge value problems.

Good days...


Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 15:11 tarihinde
şunu yazdı:

> Yes, but Grase does not. URL And Form hidden input value does not change.
> The challenge values are always the same, but the nojslogin page can
> somehow get the transition. How do I make an adaptation like this
>
> emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:42 tarihinde şunu
> yazdı:
>
>> If there is a security issue as Tim mentioned before, than it is better
>> to not to change any challenge value.
>>
>> I thought the problem could be solved with a simple redirect. If the user
>> is directed to http://1.0.0.0 with a meta refresh every 10 or 20
>> seconds, we can always have a new challenge value.
>>
>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 14:30 tarihinde
>> şunu yazdı:
>>
>>> Hello again, Tim and Emre,
>>> Routing is working. Coming to the login screen. However, even if the
>>> challenge value has changed, I would like to grant access without affecting
>>> the user in any way.
>>>
>>> When I review the Grase Hotspot files. Form Action looks as
>>> nojslogin.php. The Challenge value in the Nojslogin file is getting POST.
>>> However, although the Challenge value hidden in Portal.tpl is not the same
>>> as the JSON values, it can get pass permission. I understand that a few
>>> more processes are going on in the background. How can I adapt this to
>>> myself? What should I watch out for? I use my form directly as a POST, not
>>> as an action.
>>>
>>> emre erdoğan <po***e@gmail.com>, 21 Eki 2019 Pzt, 14:24 tarihinde
>>> şunu yazdı:
>>>
>>>> Hi Sergen.
>>>>
>>>> Did you try to redirect to "http://1.0.0.0" by using meta refresh?
>>>>
>>>> Sergen Çolak <se***7@gmail.com>, 21 Eki 2019 Pzt, 09:50
>>>> tarihinde şunu yazdı:
>>>>
>>>>> Thank you for your quick response, Tim.
>>>>> I don't use the Javascript page. I submit the HTML Page with the form.
>>>>> Then I take the required values and use a function as follows.
>>>>> function attempt_login () {
>>>>> global $ uamsecret, $ userpassword, $ username, $ password;
>>>>>
>>>>> $ hexchal = pack ("H32", $ _GET ['chal']);
>>>>> $ newchal = $ uamsecret? pack ("H *", md5 ($ hexchal. $ uamsecret)): $
>>>>> hexchal;
>>>>> $ response = md5 ("\ 0". $ password. $ newchal);
>>>>>
>>>>> $ newpwd = pack ("a32", $ password);
>>>>> $ pappassword = implode ('', unpack ("H32", ($ newpwd ^ $ newchal)));
>>>>> if ((isset ($ uamsecret)) && isset ($ userpassword)) {
>>>>> // print implode ('', array (
>>>>> // '<meta http-equiv = "refresh" content = "0; url =',
>>>>> // 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>>>> // 'logon? username =', $ username, '& password =', $ pappassword, '">'
>>>>> //));
>>>>> }
>>>>> else
>>>>> {
>>>>> print implode ('', array (
>>>>> '<meta http-equiv = "refresh" content = "0; url =',
>>>>> 'http: //', $ _GET ['uamip'], ':', $ _GET ['uamport'], '/',
>>>>> 'logon? username =', $ username, '& response =', $ response, '">'
>>>>> ));
>>>>> }
>>>>> }
>>>>> Everything works correctly, but I'm guessing that if the Challenge
>>>>> value is changed in the GET operation, res = Failed is returned. How can I
>>>>> prevent this?
>>>>>
>>>>> Tim <ti***8@gmail.com>, 20 Eki 2019 Paz, 04:18 tarihinde şunu
>>>>> yazdı:
>>>>>
>>>>>> Hi Sergen
>>>>>>
>>>>>> Unfortunately, the challenge value will continue to change as time
>>>>>> goes on. This is to prevent replay attacks and other such things. However,
>>>>>> if you're using the JS login page, it should already be fetching a new
>>>>>> challenge before it submits the login attempt. Are you using the JS page,
>>>>>> or the plain text version?
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On Sun, 20 Oct 2019 at 00:30, Sergen Çolak <se***7@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello everybody,
>>>>>>> I have a question about Coovachilli. The link to the first time my
>>>>>>> PHP Page was loaded,
>>>>>>>
>>>>>>> http://192.168.80.1/admin/uam/hotspot?res=notyet&uamip=192.168.80.1&uamport=3990&challenge=8117e6bf4eb10d19edf8d47af8237bdd
>>>>>>> When I look at http://192.168.80.1:3990/json/status
>>>>>>> {"version": "1.0", "clientState": 0, "challenge":
>>>>>>> "8117e6bf4eb10d19edf8d47af8237bdd" ....
>>>>>>> The challenge value that appears in Json / status changes when I do
>>>>>>> not login for a certain time. And when I try to login, I get res = failed
>>>>>>> even though my username and password are correct. The Challenge mismatch in
>>>>>>> the Form, which appears to be exactly in Json. Can I prevent the challenge
>>>>>>> value from changing?
>>>>>>> Sorry for the bad English. Thank you.
>>>>>>>
>>>>>>> --
>>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>>> http://grasehotspot.org
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "Grase Hotspot" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>>> To view this discussion on the web visit
>>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org
>>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c0d652a1-9f34-453c-81ad-249f3e94b09b%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>> --
>>>>>> This mailing list is for the Grase Hotspot Project
>>>>>> http://grasehotspot.org
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Grase Hotspot" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to gr***e@grasehotspot.org.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com
>>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAESLx0%2BoTs5YO7qX4ykDD21GfzKT3-yuKFAp5S0R0ippvnyu8g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>> --
>>>>> This mailing list is for the Grase Hotspot Project
>>>>> http://grasehotspot.org
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Grase Hotspot" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to gr***e@grasehotspot.org.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com
>>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYD%2B5MpmvBFLXsrfph%3DS5uEfBUdz4Wvax44iObT7jK84jQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>>>> This mailing list is for the Grase Hotspot Project
>>>> http://grasehotspot.org
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Grase Hotspot" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to gr***e@grasehotspot.org.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com
>>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGezjEUNOuHpDPVGD9fiqQxFqbshkJ4TX4wJL%3Dmh5aULw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>>> This mailing list is for the Grase Hotspot Project
>>> http://grasehotspot.org
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to gr***e@grasehotspot.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYAqMkaaS_w%2BghQATYDDBF_QwovEvpMx72hUx9FC79To4g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGMbm%2BVASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q%40mail.gmail.com
>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CADDedMGMbm%2BVASBnS7gqHNUsFkFYUupKAMy7_Wxs-CRspc524Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> ---
> You received this message because you are subscribed to the Google Groups
> "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gr***e@grasehotspot.org.
> To view this discussion on the web visit
> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYDCRdFQJ8-tvSZCqMXDKLUasw9sDU9Fs%2BOZQH5xA5qnuA%40mail.gmail.com
> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/CAFb3bYDCRdFQJ8-tvSZCqMXDKLUasw9sDU9Fs%2BOZQH5xA5qnuA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

Thread