Ossn v3

Arsalan Shah Posted in General Discussion 10 years ago

Hello Everyone,

We are working on Ossn v3, with :

  • Fixing Performance Issues.
  • With new Frontend / Backend Themes.
  • And much more.

If you have any idea that you want in Ossn Core, please let us know.

Replies
us Server24h peschges Replied 8 years ago

hallo

habe ein kleines problem

als ich meine url aufgerufen habe www.meineurl.de/home

zeigt er mir an das configuratios is not writable

kannst du mir bitte eine Anleitung geben wo hervor geht welch ordner und datein welche chmod bekommen Danke

lg christian

Romanian Kapus Attila Replied 9 years ago

One unique theme not related to any present social network.

David Toro Replied 10 years ago

emphasized textHello. I;m not a technical person, but Some thngs that would be nice features since you are asking in my opinion are:

  1. Being able to share on your own timeline something a friend has posted.
  2. Members able to create a page.
  3. A multilingual pack for site as we all don't speak just one particular language,
  4. Some really cool games to attract members to engage on site.
  5. Create an ad to promote your site or business. (Admin can set the price)

Just a few ideas that come to mind. Thank you for a great script, and look forward seeing the updated version

David Toro

Hungarian Vilmos Molnár Replied 10 years ago

/components/OssnWall/forms/user/container.php file 16. line:
/components/OssnWall/forms/home/container.php file 20. line:

post replace status phrase

<div class="text"><?php echo ossn_print('status'); ?></div>
gb Stuart Moseley Replied 10 years ago

hmac +bcrypt for hashing users passwords

reason behind this is this:

//// create the hmac /////
$hmac = hash_hmac('sha512', $pass1, file_get_contents('secret/key.txt'));
//// create random bytes for salt ////
$bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
//// Create salt and replace + with . ////
$salt = strtr(base64_encode($bytes), '+', '.');
//// make sure our bcrypt hash is 22 characters which is the required length ////
$salt = substr($salt, 0, 22);
//// This is the hashed password to store in the db ////
$bcrypt = crypt($hmac, '$2y$12$' . $salt);
$token = md5($bcrypt);
//// query to check if email is in the db already ////
$stmt = $db->prepare("SELECT email FROM members WHERE email=:email1 LIMIT 1");
$stmt->bindValue(':email1',$email1,PDO::PARAM_STR);
try{
$stmt->execute();
$count = $stmt->rowCount();
}
catch(PDOException $e){
echo $e->getMessage();
$db = null;
exit();

with a secret.txt and a key.txt file for encryption/hashing purposes

So what is it that makes this stronger than the other approaches?

The answer is simple: The key. Since it is static, meaning that it is the same for all passwords, we can store it in a file outside the document root, or protected by .htaccess. This means that an attacker would have to successfully complete two attacks for the data to be useful. First find an SQL injection vulnerability to get all password hashes, then break the filesystem to get the locally stored static key.

So, let's consider the following scenario

Stage 1: We have used this method to store users passwords, and an attacker has successfully executed an SQL injection attack and is now in the posession of all password hashes and sees right away that it's bcrypt.

Stage 2: The attacker now does an attempt to crack some hashes, and WOW, guess what, (s)he did it!

Stage 3: Now what? Well, (s)he is now the proud owner of another hash, which in order to break easily, (s)he would have to break the filesystem (which is not easy)

So as long as you're not the FBI, NASA, Pentagon, CIA, etc, it's just too much effort that needs to be put into this, so the attacker will most likely just drop the whole thing and find another victim, and your users data remains safe.

So, how do we do this?

The very first thing we need to do it to generate the static key to use with HMAC, and my method of choice is the following.

echo base64_encode(openssl_random_pseudo_bytes(128));

The key I was given by the above code was

gE9cLRn8kRTAJ2ILQevE+T81Zav7AUI+mK2R3dM/nRENMyUnIxtHjyFCFUQyXxAK/CWLPWvt5Gp4GAJCAXQLNTLi90QPxeuWwzpJnnzIiEg//dHUW2Lfsr7+C9IFzhfV3RVqPXiFqIrD+D+4pRzUs48/WUZFrEJWxLDlysk3keQ=

Remember that you will not get the same result since its, well, random.

I now copied that string and saved it into a file called key.txt. This file should live outside the document root, if that is not possible it must be protected by .htaccess

It's time to secure the passwords

The password we will use in this example is

$password = '=^<.6:6(xF>#8*6';

Step 1: Create a HMAC hash

$hmac = hash_hmac('sha512', $password, file_get_contents('path/to/key.txt'));

If you are using the same key, password and algorithm as me the value of your $hmac should be

fe14b2149a9b83bd22b9fb4e785335fc6eafaa71eb65281f8e99dbe31993581e3fbf06da68ff3d4af6d37c82e3120fa920bbef16dff50cf31e9b8a7006a94a62

Step 2: Create a salt to use with bcrypt

The first thing we need to do is to generate a set of random bytes. I will show two ways that provides strong cryptographigal entropy. First is openssl_random_pseudo_bytes, which is also the function suggested by Mozilla

$bytes = openssl_random_pseudo_bytes(16);

Another posiblity is using mcrypt_create_iv with MCRYPT_DEV_URANDOM as the source

$bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);

So if you don't have access to openssl_random_pseudo_bytes, then mcrypt_create_iv is what you should use.

When we have generated a set of random bytes, we need to turn this into a string which we do by encoding it to base64 replace all plus signs (+) with periods (.) since plus signs are not allowed in the bcrypt salt. Then we extract 22 characters from the base64 encoding because the required salt length for bcrypt is 22

$salt = strtr(base64_encode($bytes), '+', '.');

$salt = substr($salt, 0, 22);

Step 3: Create the hash that will be stored in the database

$bcrypt = crypt($hmac, '$2y$12$' . $salt);

The hmac hash is now encrypted with the blowfish algorithm.

Now we need to validate passwords

Validating a password using this method is just as easy as validating a single layer bcrypt hash only that instead of using the plain text password we use the hmac hash

Step 1: Create hmac hash

$hmac = hash_hmac('sha512', $password, file_get_contents('path/to/key.txt'));

Step 2: Perform validation

if (crypt($hmac, $hash) === $hash) {

echo 'Valid password';

} else {

echo 'Invalid password';

}

$hash is the hash stored in the database. 
ng Moneya Replied 10 years ago

lol lee meant backend feature's not frontend

Karl-Heinz Mohr Replied 10 years ago

Hello,

here are some ideas about features from me:
Delete messages,
yes, delete a group,
block user,
Comment with smilies,
Content Formatting, allow html
more options in groups,
more components settings,
newsletter with html,
browse users in the admin area,
deleting a user with all the activities
onlinemember,
Thank you for your great work

Hungarian Vilmos Molnár Replied 10 years ago
  • Last name, first name replace option (i'am hungarian...)
  • Nick name adding
  • other input field option (Account setting)
Hungarian Vilmos Molnár Replied 10 years ago
  • Mobil version
  • Chatbar in right sidebar option (my resolution 1280x800)
  • Photoalbum editing option
  • RSS Feed
Indonesian Arsalan Shah Replied 10 years ago

@All, by ideas i didn't mean features, i mean php methods, libraries, etc.