Would someone who knows about security take a look at this thread on the Joomla! forum and give me an opinion?
Joomla! • View topic - Is this a security problem?
It does not look like it is a Joomla! problem but it might be a Firefox or openSUSE problem. Then again, it might just be my personal ignorance. Consider it Open Source user feedback.
Cordially,
TwoHoot
On Tue, 28 Aug 2012 14:26:04 +0000, TwoHoot wrote:
> It does not look like it is a Joomla! problem but it might be a Firefox
> or openSUSE problem. Then again, it might just be my personal ignorance.
The password stored was stored from your browser or (if you sync your
Firefox browser settings) another system that is synchronized to.
You can scan your machine for rootkits using a tool like chkrootkit.
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
There’s some sort of security problem there. There is too little information given to be able to know what kind of problem.
My first guess would be that this is a user problem.
If you firefox store your passwords unencrypted, then anyone with access to the disk can potentially find those password. That could even happen if they access the disk by retrieving it from a trash heap after disposal.
If you have firefox store the passwords encrypted, then they cannot be read from the disk. Presumably a keylogger might be able to pick them up, depending on what is being logged. But that would require malicious access to the computer to install a keylogger.
I have participated in a web forum, where the forum managed logins by putting the password into a cookie that was sent every time. Having firefox encrypt the passwords would not help in that case, because the cookie database is stored unencrypted. And, worse still, packet sniffing on the network might be able to pick up passwords that are sent in cookies.
I hope I have illustrated why there isn’t enough info in the referenced report.
Thank you very much for the consideration and prompt reply.
The problem is that I am too ignorant to carry on a meaningful dialog with someone who knows and understands security issues. For example, I do not even know what a rootkit is, much less what it means if I find or don’t find one after I blindly run chkrootkit. That frustrates experts to the point of anger and distraction. I know from previous experience that I am responsible for my own education and will have to study from books or in class to get to the point where an expert such as yourself can help clear up the finer points.
I will be happy to spend as much time as necessary to give you any information that might help keep openSUSE secure if you will give me explicit instructions. What probably happened is that I left that computer logged on and a visitor took a peek where they didn’t belong or logged on to something that interested them while I was making coffee or in the bathroom. Unless you begin to see similar problems cropping up elsewhere, it probably isn’t worth the time and effort to look into it.
As a practical matter, I now know the extraneous username and password came from my computer. I deleted all the passwords stored in that machine, changed them and turned off the Remember Password feature. Firefox is not synchronized with anything that I know about.
Remembered passwords sure saves a lot of time when administering and managing content for two Joomla! websites.
Is it reasonably safe to reactivate the Remember Passwords feature and store the new passwords?
Cordially,
TwoHoot
I would only add one thing that seems exceedingly strange to me - The extraneous password only appeared on one computer when the website was accessed from a link on the We*****4u.com website. It never appeared on my local computers when I accessed betterbradynow.org directly.
This makes me think that We*****4u might be probing either knowingly or unknowingly. If so, they were successful. That bothers me.
Cordially,
TwoHoot
On Tue, 28 Aug 2012 16:46:02 +0000, TwoHoot wrote:
> The problem is that I am too ignorant to carry on a meaningful dialog
> with someone who knows and understands security issues. For example, I
> do not even know what a rootkit is, much less what it means if I find or
> don’t find one after I blindly run chkrootkit.
“rootkit” is a type of software package that elevates privileges to
‘root’ (hence the name), usually without the user’s explicit knowledge
(though the user usually does something to cause it to be installed).
> Is it reasonably safe to reactivate the Remember Passwords feature and
> store the new passwords?
That’s an individual’s decision - but I’ve used this feature for years
and never had a problem with it.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Tue, 28 Aug 2012 16:56:02 +0000, TwoHoot wrote:
> I would only add one thing that seems exceedingly strange to me - The
> extraneous password only appeared on one computer when the website was
> accessed_from_a_link on the We4u.com website. It never appeared
> on my local computers when I accessed betterbradynow.org directly.
>
> This makes me think that We4u might be probing either knowingly or
> unknowingly. If so, they were successful. That bothers me.
Your browser would’ve prompted you to save the password, though.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
The log in form was pre-filled in when the page opened via the link on we*****4u. The filled-in login form only appeared on one computer and only arrived filled in when accessed from one outside link. Accessed in any other way, the login form always arrives blank (so I can log into the websites I maintain at different levels of permission to make sure the right people can and can’t see the things they are supposed to see or not see).
I did not save it or check the remember me box. Clicking the Log In button led to an error page. I did not even know there was such a username on my computer until I checked. Then I found it had been there for almost a month.
If you are satisfied that this is not important in the big picture, I will just drop it and go back to work.
I sincerely appreciate your consideration, time and prompt replies. Thank you for setting my mind to rest.
Cordially,
TwoHoot
On Tue, 28 Aug 2012 18:56:03 +0000, TwoHoot wrote:
> The__log_in_form_was_pre-filled_in_when_the_page_opened_ via the link on
> we*****4u. The filled-in login form only appeared on one computer and
> only arrived filled in when accessed from one outside link. Accessed in
> any other way, the login form always arrives blank (so I can log into
> the websites I maintain at different levels of permission to make sure
> the right people can and can’t see the things they are supposed to see
> or not see).
With a password field, the only way that it would be pre-populated by the
browser is with a saved password. Since you found the user ID and
password in the saved passwords settings, at some point in that browser
or another one that has its settings sync’ed, it would have been
necessary to tell the browser to save the password.
The password store is generally encrypted (I checked my own FF
installation, and it’s a sqlite database that’s encrypted), so AFAIK only
FF can actually change that file.
I don’t think you have anything to worry about - the odds are probably
that you inadvertently saved it at some point and just forgot that you
had. I do that sort of thing on occasion myself.
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Tue, 28 Aug 2012 18:56:03 +0000, TwoHoot wrote:
> The__log_in_form_was_pre-filled_in_when_the_page_opened_ via the link on
> we*****4u.
Just thinking about this a bit more - if you disable javascript in the
browser, does the form get prepopulated?
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
There is no way to tell about the javascript. All the passwords have been deleted, and Remember Passwords turned off. So forms are never populated and there is no auto-completion.
I don’t think there is any doubt at this point that the PW came from my browser. I know the fellow that runs we*****4u and feel certain he isn’t doing anything on purpose. He doesn’t know (or care) anything about programming, hacking or security at all so may be infected with malicious code and not know it.
The question is how the we*****4u link gets it when no other link (or direct access) does and how it happens on only one computer and no other.
These anomalies seem strange to me but I know I don’t know enough to make a judgment about whether it is important or not.
Cordially,
TwoHoot
Jim Henderson wrote:
> With a password field, the only way that it would be pre-populated by the
> browser is with a saved password. Since you found the user ID and
> password in the saved passwords settings, at some point in that browser
> or another one that has its settings sync’ed, it would have been
> necessary to tell the browser to save the password.
That opens another question: If a form contains the password, is that
password saved (and re-displayed) as part of the form data? IOW, can/does a
saved form know enough to differentiate the password and is the info stored
encyrpted?
–
Will Honea
On Tue, 28 Aug 2012 19:46:03 +0000, TwoHoot wrote:
> There is no way to tell about the javascript. All the passwords have
> been deleted, and Remember Passwords turned off. So no form is ever
> populated and there is no auto-completion.
Well, there is a way to tell with javascript if the site is still on -
disable javascript and visit the site, and see if the form is filled in
for you.
> I don’t think there is any doubt at this point that the PW came from my
> browser. I know the fellow that runs we*****4u and feel certain he isn’t
> doing anything on purpose. He doesn’t know (or care) anything about
> programming, hacking or security at all so may be infected with
> malicious code and not know it.
He may be, which is why I asked the question. If he’s pulling headers/CSS
from somewhere else or something like that, or if his site was
compromised and an attacker added javascript, that’s a possibility.
> The question is how the we*****4u link gets it when no other link (or
> direct access) does and how it happens on only one computer and no
> other.
Hard to say without a more in-depth analysis of the system in question,
and it sounds like you’ve taken steps so at least from your system, it
sounds like you’re probably clean.
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Tue, 28 Aug 2012 20:02:19 +0000, Will Honea wrote:
> Jim Henderson wrote:
>
>> With a password field, the only way that it would be pre-populated by
>> the browser is with a saved password. Since you found the user ID and
>> password in the saved passwords settings, at some point in that browser
>> or another one that has its settings sync’ed, it would have been
>> necessary to tell the browser to save the password.
>
> That opens another question: If a form contains the password, is that
> password saved (and re-displayed) as part of the form data? IOW,
> can/does a saved form know enough to differentiate the password and is
> the info stored encyrpted?
Password fields are identified specially (so they mask the password as it
is entered), and that authentication information is stored in a secure
way (if you use a master password, it’ll be more secure).
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Ok. I’ll go back to work and let you all figure out if this is a problem or not. You are getting over my head now. I will check back in and see how the thread goes.
Do I need to worry about security at the website itself?
It is hosted at iPower, a commercial hosting service that I trust to maintain overall security for the website itself. I only build, manage content and administer it from the computer we have been talking about.
Cordially,
TwoHoot
On Tue, 28 Aug 2012 22:56:02 +0000, TwoHoot wrote:
> Ok. I’ll go back to work and let you all figure out if this is a problem
> or not. You are getting over my head now. I will check back in and see
> how the thread goes.
There’s probably not a lot any of us can do without information to
duplicate the actual issue. Since it sounds like it was a one-off, or
that the owner of the site in question fixed it (since you weren’t able
to dupe it), there’s not a lot of actual investigation that can be done.
> Do I need to worry about security at the website itself?
Probably not, though if the site isn’t SSL encrypted, the credentials are
probably passing over the wire in the clear.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Is it possible that if someone uses the we4u link to access betterbradynow.org and then logs in to bettrbradynow from there that a copy of the username and password is recorded at we4u?
The reason I ask is that the poll page is different depending whether you log in directly from your browser or from the we*****4u link. Accessing the site from the link allows a person to vote more than once because previous voting is not detected. I think previous voting is detected by computer identification in this module but am not certain. I only know previous voting is detected if you access directly from your browser but not if you access via the link.
Maybe you can duplicate this by going to BetterBradyNow.org, navigating to BBN Polls and voting. It is open to visitors so you don’t have to log in to do that and I don’t really care how you vote once. Refresh the page and it should tell you you have already voted and show results of the poll instead of a ballot.
Now go to We*****4u.com (the asterisks are b itch) and scroll down the page to his 8 -26-2012 – 5:05 AM posting and click on “this” in the first line. (that is the link in question). This will take you to a specific article at BetterBradyNow where you can navigate to BBN Polls. If yours is like mine, you will see the ballot again instead of results.
Access BetterBradyNow directly from the same computer and you will see results and a reminder that you have already voted. Access it from the link on the same computer and you will see a new ballot for voting. This appears to be consistent and duplicates. No account or log in is required since these particular polls are open to all visitors.
If these differences exist on the public poll page, isn’t it possible they exist in other, less obvious places as well? The most obvious security problem would be if someone Logged In from the link accessed page and their username and Password were sent to some unknown third party. If the person that logged in had Special permissions at BetterBrdyNow, it could breech website security in a big way.
If I am just worrying because I don’t understand, please say so.
Cordially,
TwoHoot
On Wed, 29 Aug 2012 00:36:02 +0000, TwoHoot wrote:
> Is it possible that if someone uses the we4u link to access
> betterbradynow.org and then logs in to bettrbradynow from there that a
> copy of the username and password is recorded at we4u?
Does the link from the first site (which is being affected by the forums’
filters in some way, so I can’t go to the link) to betterbradynow.org
contain anything other than the URL itself?
If it doesn’t, then disable javascript on both sites in your browser and
see if the form is populated.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Wed, 29 Aug 2012 01:45:03 +0000, Jim Henderson wrote:
> Does the link from the first site (which is being affected by the
> forums’
> filters in some way, so I can’t go to the link) to betterbradynow.org
> contain anything other than the URL itself?
Oh, right, you already covered that - yeah, that would be a word that’s
filtered by the forum software.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On 08/29/2012 12:56 AM, TwoHoot wrote:
> Do I need to worry about security at the website itself?
isn’t that where the folks from .ru created accounts?
if it were me, i’d alert the host (iPower) about concerns on those accounts.
–
dd