install.php generates insecure salts #284
Comments
|
For anybody curious, 8chan uses a long random string for a salt and should be unaffected by this security bulletin. |
|
Sorry for crashing here with a completely unrelated comment, but how would be a reliable way to contact both or you? |
|
openib isn’t affected I take it since it’s based on infinity? |
|
@StephenLynx My email can be found in README.md. @odilitime Correct - infinity has a very different install procedure than vichan. vichan installation is based on version numbers, while infinity is rolling release, and you install it by initializing the database yourself, installing all the configs yourself and generating the salts yourself (as advised in the comments of infinity's |
|
I'm going to leave this issue open for 30 more days because 693fa1b is only a partial fix. After that, I will assume that all existing users have seen this, and I will close it. |
|
So for clarification, this does not affect me if it's for a private instance of vichan? Like a vichan install that is only exposed to my local network.
…On Jan 29 2018, at 11:29 am, Fredrick Brennan ***@***.***> wrote:
Reopened #284 ***@***.***/0?redirect=https%3A%2F%2Fgithub.com%2Fvichan-devel%2Fvichan%2Fissues%2F284&recipient=reply%2B00ccfaa98d771f18cd7186bb70a545e13828c1f8f0133e8492cf000000011686b97c92a169ce11380f2c%40reply.github.com).
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub ***@***.***/1?redirect=https%3A%2F%2Fgithub.com%2Fvichan-devel%2Fvichan%2Fissues%2F284%23event-1446004354&recipient=reply%2B00ccfaa98d771f18cd7186bb70a545e13828c1f8f0133e8492cf000000011686b97c92a169ce11380f2c%40reply.github.com), or mute the thread ***@***.***/2?redirect=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMz6qT4lVRfk0oZncBz2KiOcSkTGvYmQks5tPZ18gaJpZM4Rfr1E&recipient=reply%2B00ccfaa98d771f18cd7186bb70a545e13828c1f8f0133e8492cf000000011686b97c92a169ce11380f2c%40reply.github.com).
|
|
@ev1l0rd if it's only on your local network, and your local network is secure, then security vulnerabilities in software should almost never matter, in theory at least, and unless the software itself is malicious of course. |
|
@goose - Thanks for clarifying. That said, I do prefer to keep up-to-date with having it secure. Although I do keep track on what devices are on it most of the time, you never know who shares the WiFi password to their friends.
…On Jan 29 2018, at 8:05 pm, Goose ***@***.***> wrote:
@ev1l0rd ***@***.***/0?redirect=https%3A%2F%2Fgithub.com%2Fev1l0rd&recipient=reply%2B00ccfaa9e0536614926906478aa19502c468ae354386979e92cf000000011687326a92a169ce11380f2c%40reply.github.com) if it's only on your local network, and your local network is secure, then security vulnerabilities in software should almost never matter, in theory at least, and unless the software itself is malicious of course.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub ***@***.***/1?redirect=https%3A%2F%2Fgithub.com%2Fvichan-devel%2Fvichan%2Fissues%2F284%23issuecomment-361351218&recipient=reply%2B00ccfaa9e0536614926906478aa19502c468ae354386979e92cf000000011687326a92a169ce11380f2c%40reply.github.com), or mute the thread ***@***.***/2?redirect=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMz6qRdyVe6GquQV17Zxvut1Bd5DiAIHks5tPhZqgaJpZM4Rfr1E&recipient=reply%2B00ccfaa9e0536614926906478aa19502c468ae354386979e92cf000000011687326a92a169ce11380f2c%40reply.github.com).
|
|
@ev1l0rd I have no idea why you would run vichan on your local network, but you are not affected, no. Only instances which are online are affected, since this is an IP leak issue. |
|
@ctrlcctrlv - Curiosity + liking to mess around with it mostly. But thanks for the clarification. :) |
Note: My last write-up was deleted because the user who created the issue rudely deleted the issue which contained the parent comment. When they deleted the issue, my announcement, a child comment, was also deleted. @ipleak102392 acted extremely obnoxiously and trollishly in this regard, so I apologize for his lack of etiquette.
On January 11, 2018, a reporter named Joseph Cox was contacted by Einar Otto Stangvik (@einaros), who via an unnamed source, received a large cache of user IDs from Anon-IB. He discovered a weakness in vichan's code, dating back to 2012, commit c9423a2.
https://www.thedailybeast.com/top-us-government-computers-linked-to-revenge-porn-site
Thanks partly to Moore's law, and the use of an insecure PHP randomness function (
rand), @einaros was able to use, I assume, rainbow tables to figure out the salt, then he was able to simply check the SHA1 hashes of the salt he figured out appended to all IP addresses (all 32-bit values), and he was able to get the IPs attached to all posts on Anon-IB.I contacted him asking how he did it, and at first got no response, but after some insistence he, along with his mysterious source "M", helped me figure out the above.
I will soon:tm: push a commit which will patch this issue for new installations of vichan. However, it is impossible for me to do this in a clean way for existing vichan users, because if I have
install.phpoverwrite your tripcode salt, all tripcodes on your board will change; and it's quite possible that you have a secure tripcode salt.So, therefore, I advise all administrators of vichan imageboards to immediately do any of the following if they are using the secure tripcode salt generated by install.php, which is the default. If you don't know what this means, you are affected.
inc/instance-config.php, reset$config['cookies']['salt']and$config['secure_trip_salt']to a long random string. You can generate this string via many methods: just make sure it is cryptographically secure. The best thing to do is use the command< /dev/random tr -dc [:print:] | head -c${1:-128};echo;. If that is unavailable to you, perhaps use random.org orpwgen -s.If you are a user of a vichan imageboard, please show your admin this warning. Infinity based imageboards, because they do not have
install.php, and expect users to set their salts manually as shown above, are not affected. But this is a good reminder to them to use secure salts - don't just use the default ininc/config.php!The text was updated successfully, but these errors were encountered: