[Fixed]: Automatic bans don't seem to be expirying - at least for some folks [Fixed]: Automatic bans don't seem to be expirying - at least for some folks
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Fixed]: Automatic bans don't seem to be expirying - at least for some folks

Started by windyweather, September 30, 2008, 09:06:23 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

windyweather

I'm having trouble with automatic bans based on login failures. For some folks, or maybe all folks, they don't seem to expire. I note that there was a bug way back when on this subject.

http://forum.coppermine-gallery.net/index.php/topic,10197.0.html

I've got a few issues:

  • No way for an admin to manually see or clear an automatic ban? Didn't see one.

  • Bans are by IP, so if I ban myself using a test username, then I'm stucko... maybe forever?? Or until my IP address changes which is tricky but maybe possible by using DHCP stuff in my router to get ISP to give me another address.

  • Not that useful anyway, if it's going to give me trouble. Maybe I should turn it off or rip it out...

Thoughts, fixes?

Thanks,
windy

windyweather

#1
The ban record for me contained the following:

ban_iduser_idip_addrexpirybrute_force
120NULLx.x.x.x2008-09-30 11:59:410

When the current time was 12:37 PDT, the login was still not allowed, and after an attempt, the time in the database did not change.
I don't know for sure what the server local time is, but they are based in LA, California, so I assume they are on the same timezone as me. but regardless, it seems that CPG should be using the same time for both the storage of the date/time and checking the date/time, so even if it were central or GMT it should all work, right?
Looks like something is wrong to me. Clearly I was about 30 minutes after my login attempt so the ban should have been cleared.. It's not as long as 30 minutes is it? Even 1 minute would foil any password break attempts. surely 5 or 10 minutes is overkill, but this was over 30 minutes.

Had to use phpMySQL to delete the row to get back in.

- windy

Nibbler

Are you allowing for any difference between server time and your local time when looking at the expiry?

windyweather

#3
The server is not west of me, for sure. I'm on Pacific Coast.

BTW, the parameters said 5 attempts, 10 min at the time of my failed attempt that I had to fix with phpMyADMIN. And the condition was not cleared after 30 minutes. So there's a bug somewhere.

- Have a great day,
windy

Nibbler

I think the bug here is that the ban is added based on the server time but cleared based on the config offset time. Solution is to use one or the other, preferably server time, consistently.

windyweather

Has the fix been done and is it released? Which version?

I'd upgrade to get this fix. It's a royal pain for my users.

- w

Nibbler


windyweather

I'm not asking for the ban to be disabled, but to fix the timeout so that it works correctly.

Please test this in 1.5 and note that it DOES NOT WORK. It certainly does not work in 1.4.10.

Thanks for your kind attention to this matter.
Sincerely and with kindest and most respectful regards,
- w

Nibbler


windyweather

I misunderstood your last reply. Sounded like you meant that there would be no fix rather than the fix has not been done.
Apparently you mean that the fix is yet to be worked on.

Very sorry for the misunderstanding.
- w

Nibbler

Forget previous message.

Edit include/init.inc.php


$now = date('Y-m-d H:i:s', localised_timestamp());


change to


$now = date('Y-m-d H:i:s');

Paver

Tested fix and applied fix to stable and devel in SVN. 

Will be in 1.4.22 (once it is released) and later versions.

@windyweather: The bug reported here has been fixed.  Please use other support threads for the other issues you brought up in your original post, otherwise they will be lost in this bug thread.  Please stick to one issue per thread, although I could see your issues being part of a larger improvement in the banning mechanism if you frame it that way.  I don't think those other issues are bugs, but rather issues with the current mechanism that could be improved.