Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Fixed]: Automatic bans don't seem to be expirying - at least for some folks  (Read 42876 times)

0 Members and 1 Guest are viewing this topic.

windyweather

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 24
    • Windy Weather Photos

I'm having trouble with automatic bans based on login failures. For some folks, or maybe all folks, they don't seem to expire. I note that there was a bug way back when on this subject.

http://forum.coppermine-gallery.net/index.php/topic,10197.0.html

I've got a few issues:
  • No way for an admin to manually see or clear an automatic ban? Didn't see one.
  • Bans are by IP, so if I ban myself using a test username, then I'm stucko... maybe forever?? Or until my IP address changes which is tricky but maybe possible by using DHCP stuff in my router to get ISP to give me another address.
  • Not that useful anyway, if it's going to give me trouble. Maybe I should turn it off or rip it out...

Thoughts, fixes?

Thanks,
windy
« Last Edit: April 30, 2009, 02:44:12 am by Paver »
Logged

windyweather

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 24
    • Windy Weather Photos
More information...
« Reply #1 on: September 30, 2008, 09:39:24 pm »

The ban record for me contained the following:

ban_iduser_idip_addrexpirybrute_force
120NULLx.x.x.x2008-09-30 11:59:410

When the current time was 12:37 PDT, the login was still not allowed, and after an attempt, the time in the database did not change.
I don't know for sure what the server local time is, but they are based in LA, California, so I assume they are on the same timezone as me. but regardless, it seems that CPG should be using the same time for both the storage of the date/time and checking the date/time, so even if it were central or GMT it should all work, right?
Looks like something is wrong to me. Clearly I was about 30 minutes after my login attempt so the ban should have been cleared.. It's not as long as 30 minutes is it? Even 1 minute would foil any password break attempts. surely 5 or 10 minutes is overkill, but this was over 30 minutes.

Had to use phpMySQL to delete the row to get back in.

- windy
« Last Edit: September 30, 2008, 09:45:24 pm by windyweather »
Logged

Nibbler

  • Guest
Re: Automatic ban's don't seem to be expirying - at least for some folks
« Reply #2 on: September 30, 2008, 09:43:10 pm »

Are you allowing for any difference between server time and your local time when looking at the expiry?
Logged

windyweather

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 24
    • Windy Weather Photos
Shouldn't matter... The server is not west of me...
« Reply #3 on: September 30, 2008, 09:46:07 pm »

The server is not west of me, for sure. I'm on Pacific Coast.

BTW, the parameters said 5 attempts, 10 min at the time of my failed attempt that I had to fix with phpMyADMIN. And the condition was not cleared after 30 minutes. So there's a bug somewhere.

- Have a great day,
windy
« Last Edit: September 30, 2008, 09:54:03 pm by windyweather »
Logged

Nibbler

  • Guest
Re: Automatic ban's don't seem to be expirying - at least for some folks
« Reply #4 on: September 30, 2008, 10:14:20 pm »

I think the bug here is that the ban is added based on the server time but cleared based on the config offset time. Solution is to use one or the other, preferably server time, consistently.
Logged

windyweather

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 24
    • Windy Weather Photos
Is this fix in a released version??
« Reply #5 on: March 16, 2009, 06:01:36 am »

Has the fix been done and is it released? Which version?

I'd upgrade to get this fix. It's a royal pain for my users.

- w
Logged

Nibbler

  • Guest
Re: Automatic ban's don't seem to be expirying - at least for some folks
« Reply #6 on: March 16, 2009, 09:43:52 am »

No fix. If it's a big problem disable automatic bans.
Logged

windyweather

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 24
    • Windy Weather Photos
Noooooo... Not disable, but FIX THE TIMEOUT
« Reply #7 on: March 16, 2009, 06:35:07 pm »

I'm not asking for the ban to be disabled, but to fix the timeout so that it works correctly.

Please test this in 1.5 and note that it DOES NOT WORK. It certainly does not work in 1.4.10.

Thanks for your kind attention to this matter.
Sincerely and with kindest and most respectful regards,
- w
Logged

Nibbler

  • Guest
Re: Automatic ban's don't seem to be expirying - at least for some folks
« Reply #8 on: March 16, 2009, 06:48:39 pm »

I know, that's why it's on the bugs board.
Logged

windyweather

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 24
    • Windy Weather Photos
Sorry...
« Reply #9 on: March 16, 2009, 06:55:47 pm »

I misunderstood your last reply. Sounded like you meant that there would be no fix rather than the fix has not been done.
Apparently you mean that the fix is yet to be worked on.

Very sorry for the misunderstanding.
- w
Logged

Nibbler

  • Guest
Re: Automatic ban's don't seem to be expirying - at least for some folks
« Reply #10 on: March 16, 2009, 07:20:19 pm »

Forget previous message.

Edit include/init.inc.php

Code: [Select]
$now = date('Y-m-d H:i:s', localised_timestamp());

change to

Code: [Select]
$now = date('Y-m-d H:i:s');
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Automatic ban's don't seem to be expirying - at least for some folks
« Reply #11 on: April 30, 2009, 02:41:02 am »

Tested fix and applied fix to stable and devel in SVN. 

Will be in 1.4.22 (once it is released) and later versions.

@windyweather: The bug reported here has been fixed.  Please use other support threads for the other issues you brought up in your original post, otherwise they will be lost in this bug thread.  Please stick to one issue per thread, although I could see your issues being part of a larger improvement in the banning mechanism if you frame it that way.  I don't think those other issues are bugs, but rather issues with the current mechanism that could be improved.
« Last Edit: April 30, 2009, 02:48:06 am by Paver »
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 19 queries.