Mailing List CGatePro@mail.stalker.com Message #106328
From: Nicolas Hatier <nicolas.hatier@niversoft.com>
Subject: Re: [CGP-Update] [*] CommuniGate Pro 6.2c1 is released
Date: Wed, 15 Feb 2017 10:33:09 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>

And while it's less of a security issue, you may also want to remove the canUpdatePwd=1 value from login.wssp.

If I'm the user of some webmail service and the administrator has set a password expiration policy, I shouldn't be able to bypass that policy just by removing the canUpdatePwd value from by browser POST data.

Nicolas Hatier, ing. <nicolas.hatier@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com



On 2017-02-15 10:20, Nicolas Hatier wrote:

Hello

To the developers: I know this is a preliminary version. But the current implementation of the two-factor authentication for webmail has a blatant flaw, since it relies on a field being sent by the client browser. If all I have to do is to press F12 on my browser and remove the x2auth value to bypass 2fa, well, that's not very secure. I understand Mr Average Joe probably won't be able to do that, but that's not the point here.

If CGP can get something directly from strings.data without relying on the client browser to send it, that's where I would put the x2auth=1 value. If CGP can't get something from strings.data, you may want to put an intermediate wssp step that contains a conditional server-side redirect or something like that.

Nicolas Hatier, ing. <nicolas.hatier@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com



On 2017-02-14 15:38, Technical Support wrote:
Major Release

* SESSION: two-factor authentication framework has been implemented.
* XIMSS: the protocol has been extended to support two-factor authentication and forced password change.
* WebUser: the interface has been extended to support two-factor authentication and forced password change.



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster