Skip to content
Snippets Groups Projects
Select Git revision
  • develop default protected
  • develop-next
  • 1.14.x
  • 1.12.x
  • master
  • 1.10.x
  • 1.11.x
  • 1.9.x
  • revert-3168-issue/2910
  • 1.8.x
  • 1.8.0.x
  • v1.14.1
  • v1.12.5
  • v1.14
  • v1.12.4
  • v1.14-rc2
  • v1.12.3
  • v1.14.-rc1
  • v1.14-rc1
  • v1.12.2
  • v1.12.1
  • v1.10.7
  • v1.12
  • v1.10.6
  • v1.11
  • v1.10.5
  • v1.11.0-rc1
  • v1.10.4
  • v1.10.3
  • v1.10.2
  • v1.10.1
31 results
Search by author
  • Any Author
  • Daniel Lyubomirov Daniel Lyubomirov daniel.lyubomirov
  • Georg C. F. Greve Georg C. F. Greve georg.greve
  • Georgi Todorov Georgi Todorov georgi.todorov
  • Ivan Vasilev Ivan Vasilev ivan.vasilev
  • Kalin Canov Kalin Canov kalin.canov
  • Kalin Daskalov Kalin Daskalov kalin.daskalov
  • Kristiyan Saparevski Kristiyan Saparevski kristiyan.saparevski
  • Lyuben Penkovski Lyuben Penkovski lyuben.penkovski
  • Petar Dobrinov Petar Dobrinov petar.dobrinov
  • Tancho Mihov Tancho Mihov tancho.mihov
  • Veselin Veselin veselin.gizdov
  • Zdravko Iliev Zdravko Iliev zdravko.iliev
  • deployagent deployagent deployagent
  • **** **** group_48_bot_17e6ea48a1a545e46221f6b39c26dd4a
14 authors
  1. Mar 05, 2015
  3. Mar 02, 2015
  5. Feb 27, 2015
  7. Feb 26, 2015
  9. Feb 18, 2015
  11. Feb 17, 2015
  13. Feb 16, 2015
  15. Feb 13, 2015
  17. Feb 11, 2015
    • Peter Rotich's avatar
      Merge pull request #1727 from greezybacon/issue/login-dos · ca79bd5c
      Peter Rotich authored 
      
login: Require CSRF token to login

Reviewed-By: default avatarPeter Rotich <peter@osticket.com>
      ca79bd5c
    • Jared Hancock's avatar
      oops: Fix truncated random data · ca970b2a
      Jared Hancock authored
      ca970b2a
    • Jared Hancock's avatar
      login: Require CSRF token to login · 504831fe
      Jared Hancock authored 
      This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.
      504831fe
  19. Feb 10, 2015
  21. Feb 06, 2015
  23. Feb 03, 2015
  25. Feb 02, 2015
  27. Jan 30, 2015
  29. Jan 24, 2015
  31. Jan 23, 2015
  33. Jan 15, 2015
  35. Jan 14, 2015
    • Jared Hancock's avatar
      Session never expires · ee072130
      Jared Hancock authored 
      This patch sends updated session cookies to the browser when the session is
refreshed on the server. This allows the session cookie to expire on the
browser at the same time the session timeout occurs at the server. In the
event the session timeout is configured in osTicket not to expire, the
cookie will expire after seven days on the client browser, and will expire
in PHP when it is garbage collected sometime after 86400 seconds after the
time last refresh time.

Using this method, the session will never expire if the session timeout in
osTicket is configured to 0, and the session is refreshed at least daily.
      ee072130
  37. Jan 13, 2015
    • Chefkeks's avatar
      Fix SLA link in help tips · d4497857
      Chefkeks authored 
      Fixes https://github.com/osTicket/osTicket-1.8/issues/1673
      d4497857
    • Jared Hancock's avatar
      Fix very predictable random data on some platforms · 2a358417
      Jared Hancock authored 
      Misc::randCode does not generate significantly random data for Windows
platforms with a local database. This stems from the random seed using the
milliseconds from the current time of day and the database connection time,
in microseconds. Because Windows has especially poor sub-second time
resolution via the microtime() function, the seed does not have many
variations.

This patch addresses the issue by using the included Crypto::random()
function as a source of random data rather than the mt_rand() function, as
it uses native cryptographic random data generators if possible to generate
the data, and uses microtime() as a fallback if no other source of random
data is available on the platform.
      2a358417
  39. Jan 12, 2015