#StackBounty: #htaccess #security #membership Strange behaviour of is_user_logged_in() and get_current_user_id()

Bounty: 150

I have an issue where is_user_logged_in() appears to alternate between being true and false.

Additionally, get_current_user_id() gives the correct user ID if is_user_logged_in() is true.

Here’s my code:

.htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]

RewriteCond %{REQUEST_FILENAME} -s
RewriteRule ^wp-content/uploads/(.*)$ file-access.php?file=$1 [QSA,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

file-access.php:

require_once('wp-load.php');

if ( is_user_logged_in() ) {
    // User is logged in, proceed.
} else {
    // User is a guest, block.
}

I’ve verified the alternating status and user id using some error logging in the file-access.php conditionals.

Do I need to call something other than wp-load.php perhaps? Just seems strange to me that it alternates between true and false, rather than always being false…


Get this bounty!!!

#StackBounty: #security #amazon-s3 #terraform How can you set up secure Terraform state storage for different infrastructure layers usi…

Bounty: 50

Context

After reading a lot about Terraform and playing with it in minor projects, I’d like to start using it in a real, production environment.

As the environment is mostly in AWS, I’d go for the S3 backend, but I’m open to change this.

Task

I’d like to have separate Terraform projects (states) per infrastucture layer. Clearly, the top layers should be able to access to output of lower layers. I can use the Terraform remote state data source to get this data.

I’ve seen different setups around the internet.

Setup #1

|–globals
|–modules
|-infrastucture1
| |-layer1
| | |-layer2

Setup #1

|–globals
|–modules
|-infrastucture1
| |-layer1
| |-layer2

Setup #3

Everything above has its separate git repo.

Question

  • What would be the recommended code organisation for this?
  • What access rights do I have to add to the lower layers’ S3 buckets to keep their state safe, but still allow Terraform remote state to access it?


Get this bounty!!!

#StackBounty: #security #lists Historical examples of bad security policies/mechanisms that we got stuck with through switching costs?

Bounty: 150

The following process seems to be a recurring one:

  1. Initial design. Commercial organisations invent and implement a design that seems at the time to work.

  2. Problem discovered, new design suggested. Due to new developments, or just because the designers missed something, a problem with the design is discovered. Academics find a solution to the problem, and a new design is proposed.

  3. Old, sub-optimal design persists due to existing production. However, the original sub-optimal design is maintained, because a large amount of devices with the old design are already deployed, and for various reasons (network effects, the need for compatibility between devices, etc), this means producers don’t want to switch. Or alternatively, new production switches, but we still have to deal with the old design because of the large already produced devices.

I am looking for historical examples of such a process in the context of the IT security of CPU/instruction-set-architecture:

What designs of instruction sets/CPU’s are we stuck with that are bad from a security perspective, but that are maintained because the cost of switching is high? (I can imagine that this is also intertwined with OS design and internet protocols).


Get this bounty!!!

#StackBounty: #java #security #deserialization #treemap #ddos jdk.serial filter is not working for restricting depth of treemap in java…

Bounty: 50

How to prevent DDOs attack through java treemap?

My code has an api which accept Map object. Now i want to prevent client to send map object of certain length.

Now maxArraySize in jdk.serialFilter is able to prevent the client sending object hashmap of size < maxArray.

I want to do the same for Treemap too. Byt maxArraySize field is not working for treemap. It is unable to reject that request.

I set maxDepth size too. But nothing is working.

Can anyone please help me with this?


Get this bounty!!!

#StackBounty: #google-play-store #adb #security #installation #apk How to block app silent installation

Bounty: 100

Recently I noticed I have opera browser installed. I definitely did not install it because I was sleeping at that time. I checked installation time and revealed it was the day before yesterday

enter image description here

Checking installation source like this outputs android:

adb shell dumpsys package com.opera.browser | grep -e "installerPackageName"

so I don’t know whether it was through Play Store or through APK.

Can I found out who have done this and how can I prevent future intrusions?

P.S. I have MIUI 11.0.3 Global device

UPDATE:

INSTALL_PACKAGES permission

apps

  • com.miui.msa.global
  • com.android.vending
  • com.miui.cloudbackup
  • com.google.android.packageinstaller
  • com.xiaomi.mipicks
  • com.android.managedprovisioning
  • com.facebook.system
  • com.miui.analytics
  • com.xiaomi.discover

users

  • android.uid.backup
  • android.uid.shell

services

  • com.lbe.security.miui/com.lbe.security.service.SecurityService

REQUEST_INSTALL_PACKAGES permission

  • android
  • com.miui.msa.global
  • com.android.browser
  • com.miui.player
  • com.google.android.gm
  • com.google.android.apps.docs
  • com.android.chrome
  • com.xiaomi.midrop
  • com.miui.hybrid
  • com.miui.securityadd

users

  • android.uid.bluetooth


Get this bounty!!!

#StackBounty: #gmail #security #email #spam-prevention #block Why do Gmail developers not allow blocking email addresses?

Bounty: 100

In Gmail it is possible to “block” an email address by automatically transferring all their emails into SPAM folder (the emails won’t get deleted).
For me, this is not blocking.

I ran various search engine queries to try to understand why blocking addresses isn’t allowed by Google, inc. but found nothing (maybe there is an explanation which I missed).
Google’s policy on this is even more odd for me given that other big email service providers do allow this:

mail.com and hotmail.com both give an option to block an email address, or, to block all emails from a certain IP address, if the email address or an IP address was put in a badlist (“blacklist”);
Hence associated emails will get totally blocked → they won’t appear anywhere to the end user, neither in SPAM, nor in TRASH.

My own rationale is that real blocking is important for both security and mental health: Blocking addresses of spammers and trollers.

Why Gmail developers don’t allow blocking email addresses?


Get this bounty!!!

#StackBounty: #networking #amazon-web-services #security #ssl #web-server TLS/SSL Config with AWS Beanstalk and website A record

Bounty: 100

Can someone provide the appropriate security architecture and setup for the following setup?

  • PHP app via AWS Beanstalk
    • Let’s say its IP is 10.10.10.01
  • Existing website
    • No TLS/SSL currently
    • A record created to point subdomain “myapp” to IP 10.10.10.01 (Beanstalk app)

Given the scenario of someone needing to post data to “myapp.mysite.com”, which is just reading from the AWS Beanstalk PHP app, how should the TLS/SSL be configured?

I.e. A certificate should be created for myapp.mysite.com and the 443 port on the Beanstalk app should be opened.

Hope I explained this well enough and thanks for your help in advance.


Get this bounty!!!

#StackBounty: #javascript #security #promise #cors #indexeddb Nested cross-origin iframes for secure user-configurable javascript tools

Bounty: 50

Context

I’m trying to build a system in which a tool (the Client) will generate a header to be used as part of an HTTP request from the user’s browser.

  • The user should be able to choose their own implementation of the Client.
  • The user should not have to install a plugin or extension to their browser.

Summary

A 3rd party will serve a small wrapper (the Shim) which will keep track of where to load the Client from. It will store this in the browser’s IndexedDB under its own origin.

The Shim and the Client will be loaded in iframes of their own origin, so that they (and the Host website) can only access each-other’s functionality through the defined methods (based on MessageChannels and postMessage() calls).

Parties, Prerogatives, and Restrictions

  • The Host website is at www.host.com.
    • They shouldn’t be able to know what implementation of the Client is in use,
    • nor should they be able to affect the Client in any way except by requesting header values.
    • (As it stands the Host is able to suggest a default Client; when I actually build the set-Client-address tool for the Shim, I’ll get rid of this.)
  • The Shim is served from www.shim.com.
    • They’re assumed to be trustworthy in the sense that people know what code they’re serving. (Even this isn’t ideal; subresource integrity checks would be great if they worked on iframes.)
    • Their code obviously knows who the Client is, and can see the requests and responses as they’re passed back and forth, but all of this stays on the user’s machine as far as the Shim is concerned.
    • They can only affect the client by requesting the header values.
  • The Client is served from www.client.com.
    • At present this is being passed in as a default, but in practice it should have been saved into the IndexedDB on the user’s machine belonging to the www.shim.com origin. (It will get put there by some other tool I haven’t written yet.)
    • It’s fine for the client to know who the Host is; I may even add that as an explicit property of each request.
  • There’s an image or some other resource that the Host wants to load on their page, but requesting that image requires a custom Receitps-Receipt HTTPS header, the value for which needs to come from the Client. Let’s suppose this image is at https://www.target.com/target.png, but it could just as easily be in the same origin as the Host website itself.

Code

www.host.com/host.html

<!doctype html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <title>Host</title>
    https://www.shim.com/shim.js
    
        _page_loaded = ()=>{
            window.FOTR.fetch(
                new Request('https://www.target.com/target.png')
                ).then((response)=>{
                    return response.blob();
                }).then((b)=>{
                    const i = window.document.createElement('img');
                    i.src = URL.createObjectURL(b);
                    document.getElementById("testTarget").appendChild(i);
                });
        };
    
  </head>
  <body onload="_page_loaded()">
    <h1>Host</h1>
    <p>Lorem ipsum dolor sit amet.</p>
    <p id="testTarget"></p>
    <p>Text continues.</p>
  </body>
</html>

www.shim.com/shim.js

((toolName)=>{
    if(typeof window[toolName] === 'undefined'){

        const loaderUtilities = { //This is exactly the same between shim.html and shim.js.

            domReady: new Promise((resolve, reject)=>{
                if(document.readyState === "loading"){
                    document.addEventListener('DOMContentLoaded', resolve);
                }
                else{
                    resolve();
                }   // add error handler?
            }),

            origin: (uri)=>{
                const parser = window.document.createElement('a');
                parser.href = uri;
                return `${parser.protocol}//${parser.host}`;
            },

            loadTool: (uri)=>{
                return new Promise((resolve, reject)=>{
                    const tag = window.document.createElement('iframe');
                    tag.src = uri;
                    tag.width = 0;
                    tag.height = 0;
                    tag.style = "visibility: hidden";
                    window.addEventListener("message",
                        (e)=>{
                            if(e.origin == loaderUtilities.origin(uri)){ //is it possible to refine the origin check?
                                resolve(e.data);
                            }
                        }, 
                        false);
                    loaderUtilities.domReady.then(()=>{
                        document.body.appendChild(tag);
                    });
                });   // add error handler?
            },

            requestOverPort: (port, resource)=>{
                return new Promise((resolve, reject)=>{
                    const disposableChannel = new MessageChannel();
                    disposableChannel.port1.onmessage = (e)=>{
                        resolve(e.data);
                        disposableChannel.port1.close();
                    };
                    port.postMessage(
                        {
                            resource: resource,
                            port: disposableChannel.port2
                        },
                        [disposableChannel.port2]);
                });
            },
        };

        const defaultClient = document.currentScript.getAttribute("data-default") || '';
        const gotClientPort = loaderUtilities.loadTool(`https://www.shim.com/shim.html#${defaultClient}`);

        window[toolName] = {
            fetch: (request)=>{
                return gotClientPort
                    .then((clientPort)=>{
                        return loaderUtilities.requestOverPort(
                            clientPort,
                            {
                                url: request.url,
                                method: request.method
                            });
                    })
                    .then((receipt)=>{
                        return window.fetch(
                            request,
                            {
                                headers: new Headers({ 'Receipts-Receipt': receipt }),
                            });
                    });
            }
        }

    }
})(document.currentScript.getAttribute("data-name") || "FOTR")

www.shim.com/shim.html

<!DOCTYPE html>
<html>
  <head>
    <title>The FOTR Shim</title>
    <meta charset="UTF-8">
    

        const loaderUtilities = { //This is exactly the same between shim.html and shim.js.

            domReady: new Promise((resolve, reject)=>{
                if(document.readyState === "loading"){
                    document.addEventListener('DOMContentLoaded', resolve);
                }
                else{
                    resolve();
                }   // add error handler?
            }),

            origin: (uri)=>{
                const parser = window.document.createElement('a');
                parser.href = uri;
                return `${parser.protocol}//${parser.host}`;
            },

            loadTool: (uri)=>{
                return new Promise((resolve, reject)=>{
                    const tag = window.document.createElement('iframe');
                    tag.src = uri;
                    tag.width = 0;
                    tag.height = 0;
                    tag.style = "visibility: hidden";
                    window.addEventListener("message",
                        (e)=>{
                            if(e.origin == loaderUtilities.origin(uri)){ //is it possible to refine the origin check?
                                resolve(e.data);
                            }
                        }, 
                        false);
                    loaderUtilities.domReady.then(()=>{
                        document.body.appendChild(tag);
                    });
                });   // add error handler?
            },

            requestOverPort: (port, resource)=>{
                return new Promise((resolve, reject)=>{
                    const disposableChannel = new MessageChannel();
                    disposableChannel.port1.onmessage = (e)=>{
                        resolve(e.data);
                        disposableChannel.port1.close();
                    };
                    port.postMessage(
                        {
                            resource: resource,
                            port: disposableChannel.port2
                        },
                        [disposableChannel.port2]);
                });
            },
        };

        const indexedDBPromise = (request)=>{
            return new Promise(
                (resolve, reject)=>{
                    request.onsuccess = (e)=>{
                        resolve(e.target.result);
                    };
                    request.onerror = (e)=>{
                        reject(e.target.error);
                    };
                });
        };

        const defaultClient = window.location.href.split('#')[1] || '';
        const objectStoreName = "chosen_clients";

        const openDB = window.indexedDB.open("FOTR", 1);
        openDB.onupgradeneeded = (e)=>{
            e.target.result.createObjectStore(objectStoreName);
        };

        indexedDBPromise(openDB)
            .then(
                (db)=>{
                    const tx = db.transaction(objectStoreName, "readonly");
                    tx.oncomplete = ()=>{
                        db.close();
                    };
                    return indexedDBPromise(tx.objectStore(objectStoreName).getAll());
                })//handle open-db error?
            .then(
                (db_result)=>{
                    const clientURI = db_result.uri || defaultClient;
                    return loaderUtilities.loadTool(clientURI);
                })//handle db-read error?
            .then(
                (innerPort)=>{
                    const outerChannel = new MessageChannel();
                    outerChannel.port1.onmessage = (e)=>{
                        const newPort = e.data.port;
                        const request = e.data.resource;
                        console.log(`Forwarding request for [${request.method}]${request.url}.`);
                        loaderUtilities.requestOverPort(innerPort, request)
                            .then((response)=>{
                                console.log(`Forwarding requested value "${response}" for [${request.method}]${request.url}`);
                                newPort.postMessage(response);
                                newPort.close();
                            });
                    };
                    window.parent.postMessage(outerChannel.port2, '*', [outerChannel.port2]);
                });//handle tool-load error?

    
  </head>
  <body></body>
</html>

www.client.com/client.html

<!DOCTYPE html>
<html>
  <head>
    <title>The stupidest client.</title>
    <meta charset="UTF-8">
    
      const pipe = new MessageChannel();
      const work = (request)=>{
          return "555";
      };
      pipe.port1.onmessage = (e)=>{
          const newPort = e.data.port;
          const request = e.data.resource;
          const response = work(request);
          console.log(`Receipt requested for [${request.method}]${request.url}; returning "${response}"`);
          newPort.postMessage(response);
          newPort.close();
      };
      window.parent.postMessage(pipe.port2, '*', [pipe.port2]); //should I be more restrictive of the recipient?
    
  </head>
  <body</body>
</html>

Comments

  • The above works, in the sense that the image loads and the request for that image has the correct custom header.
  • The Client presented is just a test rig that always returns ‘555’.

Question

Mostly I’m concerned with the security and usability of the Shim.

  • Is the usage of iframes, Promises, indexedDB, and inter-frame messaging trustworthy? Am I doing them correctly?
  • Does this Shim system provide the protections described in “Parties, Prerogatives, and Restrictions”, insofar as any modern web-browser is secure?
  • How should I approach error-handling?
  • What else should I do to test this system?


Get this bounty!!!

#StackBounty: #beginner #php #security #authentication #codeigniter Codeigniter 3 Registration and Login System

Bounty: 50

I am working on a basic blog application in Codeigniter 3.1.8 and Bootstrap 4.

The application allows Registration and Login. I have concerns about the security level of the Registration system I have put together.

The Register controller:

class Register extends CI_Controller {
    public function __construct()
    {
        parent::__construct();
    }

    public function index() {
        $data = $this->Static_model->get_static_data();
        $data['pages'] = $this->Pages_model->get_pages();
        $data['tagline'] = 'Want to write for ' . $data['site_title'] . '? Create an account.';
        $data['categories'] = $this->Categories_model->get_categories();

        $this->form_validation->set_rules('first_name', 'First name', 'required');
        $this->form_validation->set_rules('last_name', 'Last name', 'required');
        $this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
        $this->form_validation->set_rules('password', 'Password', 'required|min_length[6]');
        $this->form_validation->set_rules('cpassword', 'Confirm password', 'required|matches[password]');
        $this->form_validation->set_rules('terms', 'Terms and Conditions', 'required', array('required' => 'You have to accept the Terms and Conditions'));
        $this->form_validation->set_error_delimiters('<p class="error-message">', '</p>');

        // If validation fails
        if ($this->form_validation->run() === FALSE) {
            $this->load->view('partials/header', $data);
            $this->load->view('auth/register');
            $this->load->view('partials/footer');
        } else {
            // If the provided email does not already
            // exist in the authors table, register user
            if (!$this->Usermodel->email_exists()) {
                // Encrypt the password
                $enc_password = md5($this->input->post('password'));

                // Give the first author admin privileges
                if ($this->Usermodel->get_num_rows() < 1) {
                    $active = 1;
                    $is_admin = 1;
                } else {
                    $active = 0;
                    $is_admin = 0;
                }

                // Register user
                $this->Usermodel->register_user($enc_password, $active, $is_admin);

                if ($this->Usermodel->get_num_rows() == 1) {
                    $this->session->set_flashdata('user_registered', "You are now registered as an admin. You can sign in");
                } else {
                    $this->session->set_flashdata('user_registered', "You are now registered. Your account needs the admin's aproval before you can sign in.");
                }
                redirect('login');
            } else {
                // The user is already registered
                $this->session->set_flashdata('already_registered', "The email you provided already exists in our database. Please login.");
                redirect('login');
            }
        }
    }
}

The Usermodel model:

class Usermodel extends CI_Model {

    public function email_exists() {    
        $query = $this->db->get_where('authors', ['email' => $this->input->post('email')]);
        return $query->num_rows() > 0;
    }

    public function get_num_rows() {
        $query = $this->db->get('authors');
        return $query->num_rows(); 
    }

    public function getAuthors(){
        $query = $this->db->get('authors');
        return $query->result();
    }

    public function deleteAuthor($id) {
        return $this->db->delete('authors', array('id' => $id));
    }

    public function activateAuthor($id) {
        $author = null;
        $updateQuery = $this->db->where(['id' => $id, 'is_admin' => 0])->update('authors', array('active' => 1));
        if ($updateQuery !== false) {
        $authorQuery = $this->db->get_where('authors', array('id' => $id));
        $author = $authorQuery->row();
        }
        return $author;
    }

    public function deactivateAuthor($id) {
        $author = null;
        $updateQuery = $this->db->where(['id' => $id, 'is_admin' => 0])->update('authors', array('active' => 0));
        if ($updateQuery !== false) {
            $authorQuery = $this->db->get_where('authors', array('id' => $id));
            $author = $authorQuery->row();
        }
        return $author;
    }

    public function register_user($enc_password, $active, $is_admin) {
        // User data
        $data = [
            'first_name' => $this->input->post('first_name'),
            'last_name' => $this->input->post('last_name'),
            'email' => $this->input->post('email'),
            'password' => $enc_password,
            'register_date' => date('Y-m-d H:i:s'),
            'active' => $active,
            'is_admin' => $is_admin
        ];
        return $this->db->insert('authors', $data);
    }

    public function user_login($email, $password)
    {
        $query = $this->db->get_where('authors', ['email' => $email, 'password' => md5($password)]);
        return $query->row();
    }
}

UPDATE:

I have decided to post the login() method, from the Login controller, as changing the Register class would require changing the login accordingly:

public function login() {  
    $this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
    $this->form_validation->set_rules('password', 'Password', 'required|trim');
    $this->form_validation->set_error_delimiters('<p class="error-message">', '</p>');
    if ($this->form_validation->run()) {
      $email = $this->input->post('email');
      $password = $this->input->post('password');
      $this->load->model('Usermodel');
      $current_user = $this->Usermodel->user_login($email, $password);
        // If we find a user
      if ($current_user) {
        // If the user found is active
        if ($current_user->active == 1) {
          $this->session->set_userdata(
           array(
            'user_id' => $current_user->id,
            'user_email' => $current_user->email,
            'user_first_name' => $current_user->first_name,
            'user_is_admin' => $current_user->is_admin,
            'user_active' => $current_user->active,
            'is_logged_in' => TRUE
            )
           );
          // After login, display flash message
          $this->session->set_flashdata('user_signin', 'You have signed in');
          //and redirect to the posts page
          redirect('/dashboard');  
        } else {
          // If the user found is NOT active
          $this->session->set_flashdata("login_failure_activation", "Your account has not been activated yet.");
          redirect('login'); 
        }
      } else {
        // If we do NOT find a user
        $this->session->set_flashdata("login_failure_incorrect", "Incorrect email or password.");
        redirect('login'); 
      }
    }
    else {
      $this->index();
    }
  }

Looking for feedback and improvement ideas.


Get this bounty!!!