Update the logme function to use password_verify rather than compare md5 strings

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!

https://matomo.org/

GNU General Public License v3.0

19.5k stars 2.61k forks source link

Update the logme function to use password_verify rather than compare md5 strings #11670

Open t-pearce opened 7 years ago

t-pearce commented 7 years ago

The standard accounting login system seems to function correctly with password_verify. It doesn't make much sense to have the logme function work on MD5. This is especially an issue because MD5 is cryptographically insecure.

tsteur commented 7 years ago

We definitely need to change this eventually. Ideally we'd include eg oauth or something but passing md5 hash is not really a solution. Especially since you basically need to have the raw password to do this. To use password_verify we'd need the raw password which is not really a solution either or do you mean passing the password hash instead? Oauth wouldn't be too much work to implement for us but of course adds some overhead for the user but be more secure as it is now.

t-pearce commented 7 years ago

Needing the raw password at the time of authentication isn't a bad thing; you ask the user to log in to a CMS, the CMS hashes the password, does its own login, and redirects to the logme function. At least in this use case, the logme function would work out-of-the-box, without requiring the server to log the MD5 hash somewhere in their CMS and somehow redirect that to the logme function.

To be honest, I tried to find a solution to this myself; I dug through the source code to try and find where the MD5 hash comparison was being done, to see if I could alter it to use password_verify. However, I'm very unfamiliar with Piwik's source, and accounting security is paramount so I'm wary of doing anything too cavalier with it.

tsteur commented 7 years ago

Needing the raw password at the time of authentication isn't a bad thing

yes that's true. The thing is you don't want to transfer the raw password over the network via URL parameter in a GET request which may appear in access logs etc. and possibly used over HTTP is no good :)

t-pearce commented 7 years ago

Yeah, perhaps some kinda cURL interface so it can be done via POST?

Is there any other method of remote authentication? My usage of Piwik somewhat requires a single login process, having the user log in to my CMS and then into Piwik isn't really acceptable. Password requirements aren't an issue, this is a local piwik install and I've got them set up to share passwords.

mattab commented 3 years ago

A customer is asking about the logme feature and the security implications.

Btw I added this (bold part) in the FAQ as it seems it should work to POST data (and more safe)

Important: we recommend to make this request over https (SSL) in order to keep the password hash secure, and we also recommend to POST the password and login URL parameters (instead of sending it as GET parameters, which may be visible in browser history and web server access logs).

Would be valuable to have oAuth for this or otherwise use a secure hash for the passwords for this logme feature.