Home of the Squeezebox™ & Transporter® network music players.
Page 7 of 7 FirstFirst ... 567
Results 61 to 63 of 63
  1. #61
    Quote Originally Posted by Triode View Post
    >

    > I'll look at you rand() approach -- main thing there is determining the
    > number of possible distinct values. Should be at least 2^128 or the
    > usual range of rand(), whichever is smaller, to be as good as
    > securitySecret.


    Well its 1 in a 1 million values, but it changes each time someone tries the
    wrong value which I thought would improve its strength?
    It occurs to me that changing the value might actually be worse in one regard -- if the number doesn't change, the attacker has to get you to keep requesting attack URLs until he stumbles upon the proper value. Nothing bad happens for the failed attempts, other than your SC instance using CPU time. *But* if the value changes, there's a Denial of Service vector. If legitimate user Alice is viewing the Extension Downloader page in one tab while attacker Mallory is using Javascript in another tab to try and force an installation, Mallory's failures in the second tab will cause the server to change the value, making Alice's interaction fail, even though Alice does have a rand value that was considered valid at one point. Mallory doesn't even need to make his attack code fancy enough to try different values -- he can keep trying the same 'rand' value over and over. By the millionth time, it'll succeed. And so long as Alice has Mallory's page open in a tab, she won't be able to use the extension downloader.

    Here's a suggested patch.
    owner of the stuff at https://tuxreborn.netlify.com/
    (which used to reside at www.tux.org/~peterw/)
    Note: The best way to reach me is email or PM, as I don't spend much time on the forums.
    Free plugins: AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial
    FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher
    SettingsManager SleepFade StatusFirst SyncOptions VolumeLock

  2. #62
    Senior Member
    Join Date
    Apr 2005
    Posts
    8,410
    Thanks - is there any reason to run getRand every time as I think it is always going to return the same value? (securitySecret never changes?)

  3. #63
    Quote Originally Posted by Triode View Post
    Thanks - is there any reason to run getRand every time as I think it is always going to return the same value?
    None whatsoever, as I realized after posting. :-/
    owner of the stuff at https://tuxreborn.netlify.com/
    (which used to reside at www.tux.org/~peterw/)
    Note: The best way to reach me is email or PM, as I don't spend much time on the forums.
    Free plugins: AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial
    FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher
    SettingsManager SleepFade StatusFirst SyncOptions VolumeLock

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •