Skip to content

Fix session and login vulnerabilities #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

ebakoba
Copy link

@ebakoba ebakoba commented May 26, 2019

Session management

Currently the session secret is hard-coded to program code. This is a bad as knowing the session key allows the attacker overtake sessions bypassing the authorization.

Two steps are taken to mitigate this risk:

  • In app.js session secret is set to come from .env file. If the session secret does not exist in that file, random 40 characters long hex string is generated instead.

  • During the installation process random 40 character long hex string is set as session secret in .env file.

Hard-coded credentials

At the moment login credentials are hard-coded in to the application code and although password is hashed it is never salted. This leaves it vulnerable for rainbow table style of attacks. Furthermore, as the source code for this project is public requiring username to match admin is essentially pointless, as anyone could just look up the username from the GitHub source.

These risks are also mitigated in two parts:

  • During the installation process user is prompted to enter an username and a password for the server, which will be stored in .env file. bcrypt is used to salt and hash the user provided password.

  • passport.js will from now use username and password variables taken from the .env file and use bcrypt for hashing and salting instead of md5.

Impact on backwards compatibility

All the changes regarding to authentication are backwards compatible with current source code. Support for legacy md5 hashed password is used, when .env does not provide password variable.

Session management change will however result in user being logged out after the server is restarted following the update. This logging out will occur on every server restart unless there exists a .env file, where SESSION_SECRET variable is specified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant