Login / Logout plugin/mod using web auth and captcha

[shwetha17]

Good day,

I created this plugin and hack for ruTorrent which supports web login / logout for multiple users with a friendly AJAX interface and CAPTCHA security code. I created it based on recent SVN trunk version.

IMPORTANT: On single user setups the default username is: admin and a password MUST be defined. Leaving $userpass blank will prevent your from logging in.

Version 0.2:
-now captcha verfication can be enabled/disable on user's choice by editing /userauth/conf.php
-did some some graphic improvements
-cleaned up some CSS code
-the logout texts can now be set according to the selected language - translations are required.

Features:
-ajax login page
-improved security using captcha and bruteforce delays
-multiple user support
-confirm logout
-relative easy to customize
-relative easy to implement

Known Bugs:
-this login system works only with APACHE, since lighthttpd and others doesnt recognise .htaccess, thereby /share dir is exposed.
-usernames containing '/.' chars probably won't work

Improvements:
-Logout button should be more obvious
-create some translations
-come code improvements according to ruTorrent code syntax
-Suggest some


You can download the plugin from the following links since the file is larger than the attachment limit on this board:

• Version 0.2: http://www.mediafire.com/?u9r3zyoapdaqhvu
• Version 0.1: http://www.mediafire.com/?zojdz82szutzqcq

Now all required files can be found in the archive including the diretory structure.

Screenshots:
Main login page

In menu logout button

Installation:
To implement this plugin theree files need to be modified:

• config.php which is in /conf and /conf/user/config.php
• util.php which can be found in /php dir
• index.html which is found in the root dir

config.php:
A variable $userpass must be defined in every config.php you will create which will stand for that user's password.

Example:


Code:

$forbidUserSettings = false;


// password for this user
$userpass = 'mypasswordhere';


$scgi_port = 5001;



util.php:
This file needs to be modified to allow the web auth mechanism to be implemented and to prevent other information leaks since, from what I noticed is the file which is included in any other php script after config.php


Please modify the code in BOLD which is found at the beginning of util.php:
Code:
<?php

if(function_exists(&#39;ini_set&#39)
{
ini_set(&#39;display_errors&#39;,false);
ini_set(&#39;log_errors&#39;,true);
}


if(!isset($_SERVER[&#39;REMOTE_USER&#39;]))
{
if(isset($_SERVER[&#39;PHP_AUTH_USER&#39;]))
$_SERVER[&#39;REMOTE_USER&#39;] = $_SERVER[&#39;PHP_AUTH_USER&#39;];
else
if(isset($_SERVER[&#39;REDIRECT_REMOTE_USER&#39;]))
$_SERVER[&#39;REMOTE_USER&#39;] = $_SERVER[&#39;REDIRECT_REMOTE_USER&#39;];
}


WITH THE FOLLOWING CODE:

Code:
session_start();

if(isset($_SESSION['uname'])) {

$_SERVER['REMOTE_USER'] = $_SESSION['uname'];

} else {header("Location: login.html"); die();}



index.html:
index.html needs to be renamed to index.php and need the following BOLD code at the very top of the file to prevent any login:

Code:

<?php

include(&#39;php/util.php&#39;


?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru" lang="ru">


Additional files:
login.html - this file is the main login page and needs to be added besides the newly modified index.php




If you spot bugs or have any suggestions dont hesitate to reply to this topic.

UPDATE: Bold doesnt seem to work in the / code tags of this board, so make "the code in BOLD" is actually the code which is found between
Code:
and
Code:

 

[dsouvik215]

Hi, it's a great idea, but I'm not sure that storing password in plain text in conf file is the best way to do... I think you should store it encrypted in a sqlite database for exemple. The captcha should be set enable or not in conf file to.

Wait other advises.

++

 

[jith45]

Thanks for the feedback.

In this case it doesn't really matter how your store the password, its like storring the password of a DB in a db config file, since it's not printed anywhere and it doesn't get to the client side. The thing you now must worry is your server seucurity.

-captcha selection is added to the TO DO list.

 

[das329717]

To protect the password file from other users you can simply do a chown USER:GROUP file and then chmod 0600 file where USER and GROUP is the FastSCGI PHP user/group or the web server user/group (if using Apache + mod_php)

 

[jith45]

1) This realization is a not secure. For example, ajax requests to RPC bypass this auth. As result, anybody may give list of your torrents or delete its all.
2) Store password as plain text is a not good idea. You must store password's hash instead passwords.

 

[somus1735]

Excuse me, but do you have any idea what you are talking about?


1. It seems you don't have a clue about how ruTorrent works, so: if someone wants to access xmlrpc.php it first has to bypass util.php, which is included in it, as any relevant file from /php dir.

2. DOES NOT MATTER HOW YOU STORE PASSWORDS!!! WHAT hash? MD5?, it crackable using bruteforce in a few moments. How does somebody finds out your password anyway and why it's not secure?


Have you tried first what you said? I am awaiting proof on what you have said, please hack this: http://robits.org/rutorrent/

 

[das329717]

Hi hwk, you don't need to be such rude ! You must keep in mind that this forum is internationnal and must of people here is not english spoken, so maybe you think we are rude but it's only because we use simples sentences. Now we you say that novik "don't have a clue about how ruTorrent works", it's showing that YOU don't have a clue of rutorrent project... Novik is the main and alone (most of time) dev of rutorrent, so guess he know how rutorrent works....
Secondely, of course MD5 it's crackable but it's the same thing that a door lock is crackable so i let door open.... Even, if we can't access to this file from outside, maybe it's more easy for a already logged user to access to other conf file... I 'dont know, I'm not a hacker.
Anyway, your work it's a good beginning, rutorrent need a full web admin page for user (adding, modify conf, delete, log activity, ect...) So I hope you will not stop here and continue to give us a good plugin.

 

[jith45]

Quote

1. It seems you don't have a clue about how ruTorrent works​

Really? Strange... May be you try to teach me - how ruTorrent works? ))

Quote

, so: if someone wants to access xmlrpc.php it first has to bypass util.php, which is included in it, as any relevant file from /php dir.​

Simple see to file js/rtorrent.js. And try to think - for which reason it used.

Quote

2. DOES NOT MATTER HOW YOU STORE PASSWORDS!!!​

Really? See to file /etc/passwd - is you see plain text passwords?

 

[somus1735]

lol, if novik doesn't know how rutorrent works we're in trouble seeing as he wrote 99% of it.

He's the main dev for this project. You asked for feedback and when you got it from the BEST possible source, you got shitty about it.

 

[dsouvik215]

Quote

Simple see to file js/rtorrent.js. And try to think - for which reason it used.​

That's just a data parser and your know better than me it fetches data and process it, which doesn't impose any security threat. It impossible for it process data which wasn't sent by the server and doesn't exist. Just admit you were wrong and it was a moment of rush. If you still think it's a security breach please show some proof.


Simple question:
How do your store your database connection credentials (username, db name, password) in php? Plain text or hash?

 

[das329717]

Ask and you shall receive!



Next time get your shit straight dude! And if that's not proof enough let me know and I maybe I can delete all your torrents or perhaps add a few for myself?

 

[jith45]

Thank you for your notice!

But what does this have to do with the login interface? You only connected to rTorrent application using the apache SCGI module which port was opened (was running some tests from remote machine), this doesn't have anything related with this login interface. This was possible even without ruTorrent being installed

No security restriction were applied to mod_proxy_scgi on apache (things were in testing mode), to make things really secure i recommend the HTTPRPC Plugin which takes care of this thing.

Also your post brings me in mind a possible topic title: "How to secure your SCGI module", because this was a pure example of security lack.

 

[somus1735]

i really tried to controlled myself here by i cant help it any longer

i present you: the double facepalm

 

[dsouvik215]

@skydrome

lol, i just spit coffee all over my screen, thanks for that.



@hwk


you are obviously missing the point. Currently it is recommended to use some form of authentication through the webserver, your login is pointless if it can't replace this function.

This shouldnt' need to be explained.

novik told you exactly what the issue was, you asked for someone to show you and it's been shown.


Fix it or ignore it, your choice

 

[das329717]

What that guy just did is not related in any kind with ruTorrent (that interface we all know for rTorrent), it's only relationship is with apache + mod_proxy_scgi which allowed everyone to connect to xmlrpc server which rTorrent was running, so in this case i could have done from every IP/domain my server has.

This is a plugin which implements security login to your rTorrent interface (meaning ruTorrent) and has nothing to do with your apache module configuration. Yeah, use the HTTPRPC PLUGIN.

You can try:
xmlrpc yourdomain.com/RPC2 download_list started or
xmlrpc my.server.ip/RPC2 download_list started

 

[jith45]

dude, you just don't get it.


we recommend either securing the SCGI directory with some form of webserver authentication or mounting it on top of a directory with auth.

If you tried mine, you'd get stopped by the webserver auth.

what that guy did was exactly what novik was talking about, which is why in the wiki we recommend keeping /RPC2 set up with some form of authentication.

ANY login plugin should handle this as well.


you just weren't listening.

your login is the httprpc plugin isn't always ideal, i agree a login plugin would be nice but it needs to be able to fully replace webserver auth.

 

[somus1735]

More news:

Really, you should write a guide on how to secure your SCGI!!!!

Out of curiosity i looked over some torrent peers from a tracker, and looked for rTorrent / libtorrent client, as it turns out, most of these clients had SCGI open to remote access.

and some other monstrousities:

http://188.165.233.69/rutorrent/plugins/_getdir/getfiles.php?dir=%2Fetc&time=1295853048081

 

[dsouvik215]

As you can see, this is a not simple "data parser". ruTorrent in base configuration interact with rTorrent by two ways:
1) From php
2) From javascript.
Second way is preffered, if you have a slow server. Some plugins (rpc, httprpc) disable it. As result: in your code you must check - js variable theURLs.XMLRPCMountPoint contain a path to .php file. Or you must implement rpc plugin functionality. Or place this point into your plugin's description. Or something else. But you can't leave this hole empty.

Quote from: hwk on January 23, 2011, 02:09:09 pm

How do your store your database connection credentials (username, db name, password) in php? Plain text or hash?​

I doesn't store my credentials in php. I use web-server auth, all creditionals are stored in one file and yes, it's doesn't contain plain text passwords, it's contain password's hash. As result - if somebody will see this file, then he can't know my password (at least, immediately).

Quote

Really, you should write a guide on how to secure your SCGI!!!!​

Russian version of wiki contain it - http://code.google.com/p/rutorrent/wiki/Config?wl=ru#%D0%9F%D1%80%D0%BE_%D0%B0%D1%83%D1%82%D0%B5%D0%BD%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%86%D0%B8%D1%8E
Don't know about english.

Quote

some other monstrousities:​

Russian version of wiki contain info about configuration of plugin '_getdir' too. And yes, you must protect rutorrent directory (and RPC points if you use it) with web-servers auth. Otherwise anybody may hack your system.

BTW, this is a not a right place for publish *real* IP and security holes on it's. Or this systems - 188.165.233.69 and 85.17.112.61 - is yours?

 

[jith45]

Yes please don't post other people's IP addresses here.

Maybe it's best to move the SCGI part into a new thread? It's pretty off topic now.

 

[somus1735]

The owners of those hosts were notified.

Also, this login system works only with APACHE, since lighthttpd and others doesnt recognise .htaccess, thereby /share dir is exposed.
The bad part of basic auth is that you need password a whole domain, a single path doesnt do it, because SCGI is enabled for the whole domain.