Author Topic: Possible security vulnerability  (Read 20280 times)

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Possible security vulnerability
« Reply #15 on: October 08, 2006, 01:45:40 AM »
Back porting old versions of the RDF, and when the user's too lazy to make a proper wildcard setup.
"I'm not drunk, just sleep deprived."

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Possible security vulnerability
« Reply #16 on: October 08, 2006, 03:04:46 PM »
Quote from: miquelfire
Back porting old versions of the RDF,
I'm speaking mainly to the creation of *new* filters. I do agree that the users old/existing RDF file should still be converted, but with a big fat warning notice. Maybe even a warning notice right on the MPW Prompt window - and maybe even go so far as to disable the 'auto-populate' function for accounts that have what PWM would consider to be 'vulnerable' URL patterns...

Quote
and when the user's too lazy to make a proper wildcard setup.
Well, this is a reason, yes, but I disagree completely that it is a *good* reason.
« Last Edit: May 25, 2007, 04:20:32 PM by tanstaafl »

Offline adamspiers

  • Jr. Member
  • **
  • Posts: 25
Possible security vulnerability
« Reply #17 on: December 01, 2006, 05:28:57 PM »
Here's a simple user-friendly solution for the security risk people have been worrying about in this thread: in wildcard mode, stop a normal * glob from matching forward slashes, and also have a new glob syntax ** which does match them.  Then you can safely recommend users to use wildcards like:

  *://*.yahoo.com/**

Offline Frosty

  • Normal Members
  • *
  • Posts: 5
Possible security vulnerability
« Reply #18 on: January 16, 2007, 05:42:35 PM »
I am currently using this regex setup to detect domains,

https?://([^/]*\.)*domain.com/

If you copied the options from the "Default" section for the part of the URL to match, people could set this up however they wanted.


pic: Defaults option page.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Possible security vulnerability
« Reply #19 on: January 17, 2007, 02:58:22 AM »
Need to add .* at the end of that RegEx setup. Otherwise, good work.
"I'm not drunk, just sleep deprived."

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Possible security vulnerability
« Reply #20 on: January 17, 2007, 01:07:35 PM »
Quote
I am currently using this regex setup to detect domains,

https?://([^/]*\.)*domain.com/

If you copied the options from the "Default" section for the part of the URL to match, people could set this up however they wanted.

IPB Image
pic: Defaults option page.
Quote
Need to add .* at the end of that RegEx setup. Otherwise, good work.
Hmmm...

Ok, can this be clarified? I'm a total newb when it comes to regex...

What this is saying is the best way to prevent phishing attackes with PM is to use the following regex pattern instead of wildcards:

"https?://([^/]*\.)*domain.com/.*"

Minus the quotes, of course...

Is this correct?
« Last Edit: May 25, 2007, 04:13:52 PM by tanstaafl »

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Possible security vulnerability
« Reply #21 on: January 17, 2007, 02:48:05 PM »
Quote from: tanstaafl
Hmmm...

Ok, can this be clarified? I'm a total newb when it comes to regex...

What this is saying is the best way to prevent phishing attackes with PM is to use the following regex pattern instead of wildcards:

"https?://([^/]*\.)*domain.com/.*"

Minus the quotes, of course...

Is this correct?

That regex is almost like the wildcard http://*.domain.com/* (The .* at the end is just like the wildcard character * actually)

I'll break down that regex pattern:

It has to start with 'http', then there may or may not be an 's' (That's what the ? after the s means), then it must be '://' The "(..)*" menas there must be zero or more of the bit in the ()'s (That * should be a ? really with the way the stuff on the inside is.), in side, the "[^/]*" bit means zero or more of any character that is not a '/', and '\.' means '.', and as I said before, .* is just like the wildcard *
"I'm not drunk, just sleep deprived."

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Possible security vulnerability
« Reply #22 on: January 17, 2007, 06:04:44 PM »
kewl! Thanks for the in-depth explanation...

One last question...

Is there a way in the wildcard expression to designate a character as optional? I.e., in your regex, you have 'https?', where the '?' means the s is optional - is there a way to do that in the wildcard expression? That one thing would mean I can quit adding two entries for every account (usually create a plain and one with the s for my important accounts, just in case), so if I need to change these to regex patterns, I'll happily do so.

Thanks!

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Possible security vulnerability
« Reply #23 on: January 18, 2007, 03:07:10 AM »
Wildcard doesn't allow for that. Only one character (?) or multiple characters (*)
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Possible security vulnerability
« Reply #24 on: January 18, 2007, 05:54:25 AM »
Nice job, Frosty.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Possible security vulnerability
« Reply #25 on: January 18, 2007, 11:41:37 AM »
Thanks miquelfire...

Now I test a little, then start the slow process of converting all of my accounts...


PasswordMaker Forums

Possible security vulnerability
« Reply #25 on: January 18, 2007, 11:41:37 AM »