[RESOLVED] Form Cookies Security

[LoopUntil]

Hello all, I want to insert a code in my phpBB2.
All them are in a TXT file and taken with an array:

PHP Code:

$id = 23;
$pass = pass.txt;

if ($forum_id == $id) {
        $error_login = "No permission<br />".
                         "<form action='login.php' method=POST><input name='pass' type='pass' /><input type=submit value=verify />".
                         "</form>";
        if (!in_array($_COOKIE['pass'], file($pass)) message_die(GENERAL_ERROR, $error_login);
        $file = fopen("log.txt", "a+");
        $log = $userdata['user']." IP:".$_SERVER['REMOTE_ADDR']." PASS:".$_COOKIE['pass']."\r\n";
        fwrite($file, $log);
        fclose($file);       
} 


When an user logins, the password is setted in the cookies and then the ip of the user and the time is stored in the log.txt file.
It works, but this method is secure?!
Thanks in advance.

[visualAd]

First off, you are storing the password in a cookie. That means it will be sent in plain text back and forth between the client and server with each request. It will also be visible to anyone who has access to the computer on which the browser is installed if they view the cookies. Ideally, the password should never be sent unencrypted over the Internet. It even needs to be transported via an SSL tunnel or sent hashed and staled as minimum where SSL is not available.

Secondly, you have a list of passwords stored in a text file on the server. I am assuming that this file is not accessible via the web browser by using http://www.example.com/path/to/passwords.txt you also want to ensure the same with your log file. In addition, what’s stopping someone from repeatedly guessing passwords to stumble upon on which is in the list. The omission of a user name would make any dictionary based attacks very effective.

You should be using server side sessions to authenticate, check the password only once and set a flag once the user is authenticated. If the password is for use by multiple users; you might want to consider setting up some kind of role based access control where by only a list of predetermined users can access the forum. Requesting that they (re-authenticate) when they move into the protected area in addition will offer a higher overall level of security and accountability.

[LoopUntil]

Crypting the password in md5 or sha1 in the cookies is quite useless.
If a user "sniff"/grabs the cookies of another user then it can replace/add these cookies with a tool and then refresh the page.
After that, it will be automatically authenticate.

The file passwords.txt is protected with htaccess.

The only thing I wanted to know is if some user can inject malicious code using the cookies and to know if this php code is secure.

Example: <?php system('ls') ?> in the cookies (of other things like that)... my code will execute this?

[visualAd]

Crypting the password in md5 or sha1 in the cookies is quite useless.

Oh no, I never knew that. I will quickly remove it from all the sites I have made and replace it with the super secure plain text option.

The file passwords.txt is protected with htaccess.

It should be outside the document root so in event of a web server exploit or the accidental deletion/corruption of the .htaccess file, it is not compromised.

The only thing I wanted to know is if some user can inject malicious code using the cookies and to know if this php code is secure.

Example: <?php system('ls') ?> in the cookies (of other things like that)... my code will execute this?

In answer to your question. There doesn't appear to be any code injection vulnerabilities. However, your code IS NOT secure for the reasons I mentioned above. SHA1 and MD5 are not useless as long as the programmer who utilises them is not an idiot.

[LoopUntil]

You are right, thanks, RESOLVED!

[penagate]

If a user "sniff"/grabs the cookies of another user then it can replace/add these cookies with a tool and then refresh the page.
After that, it will be automatically authenticate.

This is true of any automatic login method. But regardless, passwords should never be sent in clear text. SSL should be used for a security-critical login method so that the data cannot be sniffed by a malicious third party. For automatic logins, usually some kind of login token is used rather than a hash of the user's password; this then creates a pre-authenticated session.

There are superior hash algorithms available than SHA1 or MD5, too, like Whirlpool or RIPEMD.

But you knew all that, right?