Mailing List CGatePro@mail.stalker.com Message #106330
From: Technical Support <support@stalker.com>
Subject: Re: [CGP-Update] [*] CommuniGate Pro 6.2c1 is released
Date: Thu, 16 Feb 2017 16:20:01 +0300
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hello,

On 2017-02-15 18:20, Nicolas Hatier wrote:

Hello

To the developers: I know this is a preliminary version. But the current
implementation of the two-factor authentication for webmail has a
blatant flaw, since it relies on a field being sent by the client
browser. If all I have to do is to press F12 on my browser and remove
the x2auth value to bypass 2fa, well, that's not very secure. I
understand Mr Average Joe probably won't be able to do that, but that's
not the point here.

That has been done intentionally to simplify workarounds should any problems with two-factor authentication arise. By the final release the mechanism will not depend on the flags (x2auth and canUpdatePwd) set in WebUser and XIMSS login requests. But for sites in transition from 6.1 to 6.2 with customized skins it's safer to let two-factor or forced password change be bypassed than fail and block users access altogether.

If CGP can get something directly from strings.data without relying on
the client browser to send it, that's where I would put the x2auth=1
value. If CGP can't get something from strings.data, you may want to put
an intermediate wssp step that contains a conditional server-side
redirect or something like that.

Actually the mechanism already depends on the contents of the x2auth dictionary (strings.x2auth.data in the basic skin): if there are no methods defined there (or the actual data for the defined methods, e.g. phone numbers or e-mail addresses, was not defined for the account) the second authentication stage is not used.

Also, in these early versions the PIN 5678 always works :)

*Nicolas Hatier, ing.* <nicolas.hatier@niversoft.com
<mailto:nicolas.hatier@niversoft.com>>
Niversoft idées logicielles - http://www.niversoft.com



On 2017-02-14 15:38, Technical Support wrote:
Major Release

* SESSION: two-factor authentication framework has been implemented.
* XIMSS: the protocol has been extended to support two-factor
authentication and forced password change.
* WebUser: the interface has been extended to support two-factor
authentication and forced password change.




--
Best regards,
Dmitry Akindinov

=======================================================================
When answering to letters sent to you by the tech.support staff, make
sure the original message you have received is included into your
reply.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster