Opps, i posted in the wrong area, please feel free to move.

My suggestion is as follows:

When creating a list of username and passwords, have it run as a form and out put a copy and paste list of those usernames and passwords, which have been encrypted with the key only the user knows.

This was, they can then copy that code in the debug into a, i dont know, users.scar file.

When the user comes to running a script which needs access to multiple users, it will do the same as normal but it will also ask for the key, which will then decrypt the usernames and passwords, store them into a array in memory and will be destroyed when the program ends.

The reason: Just a added layer of security to stop any hackers from being able to see the entire contents of the plain user names and passwords.
Hell, if you just lost 20 characters because your usernames and passwords were in plain text, you would be pretty pissed, whilst if you have a encryption method where you only know the key (say, a edited 1 time stamp), it would be impossible for them to crack it unless the programmers decided to put the key into a const instead of a destructable variable.

I like it :)

What might be a lot easier, would be to have it import the usernames and passwords from a password-protected file. You'd have to tell SCAR the password, somehow, but it'd be easier than encryption/decryption.

I've already created a encryption/decryption functions, which basically get the string that you want to decryp/encrypt, get the key that you specify, and encrypts it. Youll find it in the other scar scripts section (it uses a 1 time pad method)

Oooh, decrypt from the script? I guess I figured you meant that SCAR itself decrypts it. Sorry :)

I like it though.

Is there a function, yet, that can return all of the text from a file?

There is something simular, check out the settingstest script in /test in the script folder.

Oooh, sweet :)

Never had a problem with it, I've got up to date firewall, anti-spyware, virus scanners. No need to worry.

Never had a problem with it, I've got up to date firewall, anti-spyware, virus scanners. No need to worry.

Doesn't mean your secure.

An example A would be hacker could use a CRSF attack on the site to change everyones password, and once upon getting a admins password could get your IP. Upon getting your IP, he could then check what services are running, and see if there are any bugs in them. If he found any, he could then navigate to your passwords.

OR, it could be a sibling or "freind" who wants to get at you.

Doesn't mean your secure.

An example A would be hacker could use a CRSF attack on the site to change everyones password, and once upon getting a admins password could get your IP. Upon getting your IP, he could then check what services are running, and see if there are any bugs in them. If he found any, he could then navigate to your passwords.

OR, it could be a sibling or "freind" who wants to get at you.

Dang. That's possible? (First part, not the friend who wants to get at you.)

Dang. That's possible?

No, not really.

Hackers don't just press a button and magically change everyone's password.

And I've never heard of a CRSF attack, what is that?

a CRSF attack is simular to a XSS attack, but instead of stealing your cookies, you make the users browser do it. So you can make your avator link to a php script which will fill in the change password form, and upon you loading this persobn avator, it will fill in that form without your knowledge, and it will then submit the form, thus changing your password on this site using your computer without you knowing.

Then, if a admin gets his pass changed, the hacker can then log in as him, check the IP, do a netcat on your ip, and use any exploit which will use on it.

Although that is possible, not alot of RS hackers will know anything more than "generic keylogger in, password out" and i won't go into detail on what exactly to do.

That sounds complicated Distort. From my understanding of what you've said all you would need to do in order to make a CRSF attack entirely non threatening would be to use a proxy to do your webbrowsing which is an easy enough thing to do. The other thing that I think would take care of it is if you didn't appear to have any open ports. My understanding is that one determines what services you are running by the default ports that the services use so if somebody has that port open then they would probably be running that service. So a decent firewall and setting everything to use nonstandard ports would also protect one against such an attack. I don't know anything about this so I could be completely wrong though.

You use a cookie right? Of course you do, your logged in. Your authenticated. What someone will have to do is just load a PHP site in their avvy, and use your current authentication, fill in the password changing form here (still using your browser, under your authorisation) and submit it, using your authentication in your browser.

Did that get across then?

And about the ports... Sure, whatever :)

Can we get off that subject though?

:p

I will leave that subject behind after one more question

What kind of image would you use to launch a CRSF attack?

I think png, but I'm probably wrong


I'm curious because I wouldn't mind embedding a random-picture script into my avatar

hmm i think you can use gif too.

Depenind upon the forum, a example would be something like this



http://www.fake.com/example.php

In that php file, there would be the image, and a iframe. The image would make it appear normal, whilst the iframe will load the form for password changing, then submit it.

Some links :

http://redglyph.ath.cx:5656/beta/?dl=csrf-avi

http://milw0rm.com/papers/159

Just don't try to do it on this site. Infact don't unless you know what you are doing.