The MU forums have moved to WordPress.org

SSL /LDAP/password security questions (15 posts)

  1. davidctaylor
    Member
    Posted 17 years ago #

    Ok guys,

    Before anyone jumps on me for not searching the forum, I *have*. I realize now that WPMU is not designed to work with SSL. However, I've got some questions that I didn't see answered.

    1) For those of you using the LDAP plugin, isn't security a concern? If SSL is not being used, isn't the user's LDAP password going across in cleartext? This seems ESPECIALLY dangerous if you are using LDAP authentication where a userid/password can give a hacker all kinds of access outside of just WPMU.

    2) Can anyone elaborate on what (if any) security is used for passing a password in regular WPMU? Is it cleartext or is there some sort of encryption happening?

    In a nutshell, I'm going to be meeting with my organization's security guy soon and I'm trying to figure out some answers. My plan was to authenticate against LDAP, but I'm thinking there might be major pushback if there is no SSL solution. And if no one out there is using SSL in combination with the LDAP plugin/WPMU, how did you alleviate security concerns?

    Thanks in advance...

  2. drmiketemp
    Member
    Posted 17 years ago #

    2) The password get's MD5'ed but I'm not sure where along the process it occurs between the browser and the server.

  3. davidctaylor
    Member
    Posted 17 years ago #

    Just so I'm clear on this: Are you saying you are not sure if the password gets encrypted BEFORE it is passed over the wire to the server? There is a chance that the WPMU password is going across the wire in complete clear text?

  4. drmiketemp
    Member
    Posted 17 years ago #

    Yes, I have no idea where in the process it gets encrypted. Locked down terminal with a single IE6 window so I can't go digging through code right now.

    edit: I agree though that I do hope it's not being passed in the clear. If it was though, I'm sure it would have come up previously in regular wordpress, especially with all the hackers going after it. Someone would have picked up on that before now.

  5. davidctaylor
    Member
    Posted 17 years ago #

    Well, just as an FYI to the forum: I have it working under SSL. I have all of the admin stuff under SSL, with the regular blog available through regular HTTP. It took some mod_rewrite magic and some code changes (and about a week of my life!) but it is all working well. Those of you that want to do this take heart. It isn't that bad.

  6. drmiketemp
    Member
    Posted 17 years ago #

    Actually if you feel up to it, please feel free to give specific as to what you did to get it working. If you search for SSL or https, you'll note that previously folks have tried with some success and some failure.

    Heck, wp.com gave up on it due to all the problems they had with it awhile back.

  7. davidctaylor
    Member
    Posted 17 years ago #

    In a nutshell, I added my own function to general_tempalate.php called "getsslurl()" that I went through and used in several places instead of "get_option('siteurl'). My function looked like this:

    function getsslurl() {
    $tempurlstring = get_option('home');
    $tempurlstring = str_replace("http", "https", $tempurlstring);
    return $tempurlstring;
    }

    It looks like I modifified wp-login.php, admin-header.php, script_loader.php, themes.php, upload.php, upload-functions.php and wpmu_ldap_admin_functions.php (in the LDAP plugin I am using).

    I changed the .htaccess file to do some different rewrites too. I need to go back and remove some of the ones that are redundant. I know some of these statements are never being used and are in fact redundant. I just haven't cleaned it up yet. Here is what is in my .htaccess:

    RewriteEngine On
    RewriteBase /

    #uploaded files
    RewriteRule ^(.*/)?files/$ index.php [L]
    RewriteRule ^(.*/)?files/(.*) wp-content/blogs.php?file=$2 [L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule . - [L]

    #DTaylor - had to do this to switch to https for wp-admin screens for users (i.e. /david_taylor/wp-admin and /david_Taylor/wp-admin/whatever.php)
    RewriteCond %{HTTPS} off
    #RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) https://%{HTTP_HOST}/$1$2 [L]

    #DTaylor - had to do this to switch to https for wp-admin screens for users (i.e. /david_taylor/wp-admin and /david_Taylor/wp-admin/whatever.php)
    RewriteCond %{HTTPS} off
    #RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ https://%{HTTP_HOST}/$1$2 [L]

    #DTaylor - Needed this to fix problem of the style sheets not showing up for users on the admin screens on IE
    # turns out it was trying to load the /david_taylor/wp-content/mu-plugins/ldap_auth.css and it needed a redirect
    RewriteCond %{HTTPS} off
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-content/mu-plugins/.*) https://%{HTTP_HOST}/$1$2 [L]

    #http://homepages.baylor.edu/wp-admin/login-page.css?version=wordpress-mu-1.2.3-2.2.1
    RewriteCond %{HTTPS} off
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-admin/login-page.css/.*) https://%{HTTP_HOST}/$1$2 [L]

    RewriteCond %{HTTPS} off
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-admin/images/.*) https://%{HTTP_HOST}/$1$2 [L]

    RewriteCond %{HTTPS} off
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-admin/images/.*) https://%{HTTP_HOST}/$1$2

    #These are the original RewriteRule lines. Leave 'em in for the non-SSL (NON wp-admin) hits (i.e. http://homepages.baylor.edu/david_taylor)
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]

    RewriteRule . index.php [L]

    #added by DTaylor to redirect to HTTPS
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    Of course, this is all in addition to setting apache up to run SSL. You can find documents on that. Everything seems to work. In fact, most all of it worked without any of the code changes in Firefox and Safari. However, I had to make most of those coding changes to keep IE from squawking about mixed content (i.e. "this page contained secure and unsecure...blahblahblah). It seems that FF was OK with the rewrite. Oh well. Anyway, our security guru has checked it over and said everything looks great. I'm only getting a couple of those mixed content warnings (and only on IE) and it is down in they tinyMCE code. I think I'll just leave it alone for now. Good luck to anyone else that plans to do this. I think most of my frustration just came from my inexperience with Apache and SSL. Once I "got it" it wasn't that bad. Wordpress could easily (it seems to me) make it possible to run under SSL out of the box.

  8. drmiketemp
    Member
    Posted 17 years ago #

    Looks good. Thanks

    Usually the issues occur with the "too many redirects" error. At least that seems to be the main issue I saw over in wp.com land. We never got any offical response out of staff except for logging out clear browser file and cookie cache and trying again.

    edit: Marked as a favorite so i can find it again.

  9. davidctaylor
    Member
    Posted 17 years ago #

    I haven't run into that. We've been testing it pretty heavily, but haven' really "gone live" with it. Maybe they were trying to do EVERYTHING with redirects instead of changing some of the code. No idea.

  10. dsilverman
    Member
    Posted 17 years ago #

    Isn't another problem lack of cookie persistence between the http and https sides? Or am I just making that up?

  11. drmike
    Member
    Posted 17 years ago #

    I believe that was when folks weren't clearing out their cookies when wp.com switched back and forth on the backend. I remember that though.

  12. godlikeP
    Member
    Posted 17 years ago #

    hello everybody,

    i have written a patch for ldaps.
    so if is anybody interested in this patch let me know.

  13. Dianoga
    Member
    Posted 17 years ago #

    I would be interested in the patch.

  14. summerinside
    Member
    Posted 16 years ago #

    As would I - let me know.

  15. PhoenixRises
    Member
    Posted 16 years ago #

    Since this post has been brought up again, a quick cookie explanation to answer ppl who have the same question as dsilverman.

    Cookies created in the HTTP domain are valid when using SSL (HTTPS), cookies created in the HTTPS domain, however, are not valid in HTTP.

About this Topic

  • Started 17 years ago by davidctaylor
  • Latest reply from PhoenixRises