password strength / weak passwords

stefan77

Joined: 2009-07-07
Posts: 3

Posted: Tue, 2009-07-07 08:21

Hi all!

A few days ago we did a security audit on a web page which runs Gallery2, besides other stuff. We found out that there were users using *very* weak passwords and we were wondering if Gallery doesn't do any checks on password strength. After looking at the source code, we found out that there aren't even the most primitive checks (e.g. password length) enabled, nor possible to activate.

So, the question is the following: Is there any plugin, module, whatever, which enables Gallery to check for password strength? Our searches across the web didn't lead to any results, so we fear that there's no existing solution. If this is true, the next question would be: Are there any recommendations how to get a password strength checking mechanism inside Gallery? We already use the logic as an external PHP class (configurable password length, check against cracklib if installed, check against user defined dictionaries and so on) for other purposes, so that wouldn't be the problem - the problem would be how to integrate such a thing into Gallery. Should we develop a module, a plugin, what is the best practice here? Is it even possible to get to the place where the password updating is done with a self-developed plugin? We're not used to dig in the depth of the Gallery body, but we would be happy to do so and develop a plugin.

Finally, we could of course modify the source code which would result in the least amount of work, that'd be a simple include at the right places. But we don't want to do so, as it would obviously break with future update possibilities.

Thank you all very much in advance for sharing your thoughts on that topic.

Regards
Stefan

Gallery version (not just "2"): 2.3 Full All Languages
PHP version (e.g. 5.1.6): 5.2.9
PHPInfo Link (see FAQ): won't provide any, suppose it doesn't matter
Webserver (e.g. Apache 1.3.33): Apache 2.2.3
Database (e.g. MySql 5.0.32): MySQL 5.0.83
Activated toolkits (e.g. NetPbm, GD): GD, ImageMagick, some others
Operating system (e.g. Linux): Linux (CentOS 5)
Browser (e.g. Firefox 2.0): doesn't matter

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Tue, 2009-07-07 17:10

No it doesn't do any thing like that and I've not seen a plugin and it's not going to happen unless you code one. Development is stopped on G2 and the devs are working on G3. The only thing you're likely to see in a new release of G2 is a security fix if something is ever found. Also not very likely as the code was gone through by a security audit company. It could happen, but not as likely as WordPress or something like that

I'd go ahead and just modify the core if you're comfortable with that. Again, there are not going to be any major updates to G2 so just keep track of your changes and if a security fix for something is ever released it should be fairly easy to patch your install.

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stefan77

Joined: 2009-07-07
Posts: 3

Posted: Tue, 2009-07-07 18:43

Mmmh, ok, you've got a point there. Looking at it that way, going for the source might be the best way.

Any hints about G3, are there any ideas of implementing some password strength checks? Or hooks to plugin modules that offer such things?

Regards
Stefan

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Tue, 2009-07-07 18:57

For G3, I don't think it's going to be coded into the core, but you could start checking it out and getting the lay of the land and create a plugin for that.

I wouldn't mind something like that if I had a community based site with users that had to login.

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stefan77

Joined: 2009-07-07
Posts: 3

Posted: Tue, 2009-07-07 19:31

Just for info, the scenario of Gallery in the aforementioned site is more or less the following:
- multiple users with different privileges to different albums
- content of gallery is displayed on the website of company "X"

Security problem: User "smith" with password "1" gets hacked, the hacker uploads tons of videos or pictures which tell that company "X" sucks, or even better content which is illegal to display. This would result in *big* problems for the company. OK, you can say that it's the problem of user "smith", but that's not true, since company X's reliability goes down the drain from the moment the first malicious videos or pictures show, no matter how hard you sue smith afterwards.

This problem multiplies if there is somewhere else a security hole on the website (which is huge), that allows SQL injection and the hashed passwords are read out. Again, you could say it's not the problem of gallery, but if the passwords would have been stronger, many issues would have been avoided.

So, in an environment like this, it is essential that users cannot use extremely weak passwords. I would be very happy if G3 had such a (configurable - length, strength et al) mechanism built in by default, but at least it should be possible to have an addon to do this job. Let's hope that this will be the case.

Regards
Stefan

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Tue, 2009-07-07 19:46

I'd get to using G3, posting and asking in the forums and you can submit feature requests:
http://sourceforge.net/apps/trac/gallery
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

stefan77 Joined: 2009-07-07 Posts: 3	Posted: Tue, 2009-07-07 08:21
	Hi all! A few days ago we did a security audit on a web page which runs Gallery2, besides other stuff. We found out that there were users using very weak passwords and we were wondering if Gallery doesn't do any checks on password strength. After looking at the source code, we found out that there aren't even the most primitive checks (e.g. password length) enabled, nor possible to activate. So, the question is the following: Is there any plugin, module, whatever, which enables Gallery to check for password strength? Our searches across the web didn't lead to any results, so we fear that there's no existing solution. If this is true, the next question would be: Are there any recommendations how to get a password strength checking mechanism inside Gallery? We already use the logic as an external PHP class (configurable password length, check against cracklib if installed, check against user defined dictionaries and so on) for other purposes, so that wouldn't be the problem - the problem would be how to integrate such a thing into Gallery. Should we develop a module, a plugin, what is the best practice here? Is it even possible to get to the place where the password updating is done with a self-developed plugin? We're not used to dig in the depth of the Gallery body, but we would be happy to do so and develop a plugin. Finally, we could of course modify the source code which would result in the least amount of work, that'd be a simple include at the right places. But we don't want to do so, as it would obviously break with future update possibilities. Thank you all very much in advance for sharing your thoughts on that topic. Regards Stefan Gallery version (not just "2"): 2.3 Full All Languages PHP version (e.g. 5.1.6): 5.2.9 PHPInfo Link (see FAQ): won't provide any, suppose it doesn't matter Webserver (e.g. Apache 1.3.33): Apache 2.2.3 Database (e.g. MySql 5.0.32): MySQL 5.0.83 Activated toolkits (e.g. NetPbm, GD): GD, ImageMagick, some others Operating system (e.g. Linux): Linux (CentOS 5) Browser (e.g. Firefox 2.0): doesn't matter
	XUser login Username: * Password: * Create new account Request new password
nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Tue, 2009-07-07 17:10
	No it doesn't do any thing like that and I've not seen a plugin and it's not going to happen unless you code one. Development is stopped on G2 and the devs are working on G3. The only thing you're likely to see in a new release of G2 is a security fix if something is ever found. Also not very likely as the code was gone through by a security audit company. It could happen, but not as likely as WordPress or something like that I'd go ahead and just modify the core if you're comfortable with that. Again, there are not going to be any major updates to G2 so just keep track of your changes and if a security fix for something is ever released it should be fairly easy to patch your install. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

stefan77 Joined: 2009-07-07 Posts: 3	Posted: Tue, 2009-07-07 18:43
	Mmmh, ok, you've got a point there. Looking at it that way, going for the source might be the best way. Any hints about G3, are there any ideas of implementing some password strength checks? Or hooks to plugin modules that offer such things? Regards Stefan

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Tue, 2009-07-07 18:57
	For G3, I don't think it's going to be coded into the core, but you could start checking it out and getting the lay of the land and create a plugin for that. I wouldn't mind something like that if I had a community based site with users that had to login. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

stefan77 Joined: 2009-07-07 Posts: 3	Posted: Tue, 2009-07-07 19:31
	Just for info, the scenario of Gallery in the aforementioned site is more or less the following: - multiple users with different privileges to different albums - content of gallery is displayed on the website of company "X" Security problem: User "smith" with password "1" gets hacked, the hacker uploads tons of videos or pictures which tell that company "X" sucks, or even better content which is illegal to display. This would result in big problems for the company. OK, you can say that it's the problem of user "smith", but that's not true, since company X's reliability goes down the drain from the moment the first malicious videos or pictures show, no matter how hard you sue smith afterwards. This problem multiplies if there is somewhere else a security hole on the website (which is huge), that allows SQL injection and the hashed passwords are read out. Again, you could say it's not the problem of gallery, but if the passwords would have been stronger, many issues would have been avoided. So, in an environment like this, it is essential that users cannot use extremely weak passwords. I would be very happy if G3 had such a (configurable - length, strength et al) mechanism built in by default, but at least it should be possible to have an addon to do this job. Let's hope that this will be the case. Regards Stefan

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Tue, 2009-07-07 19:46
	I'd get to using G3, posting and asking in the forums and you can submit feature requests: http://sourceforge.net/apps/trac/gallery ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

password strength / weak passwords

XUser login