Chatbox hash protection possible issue

ink · 2015-07-07 13:38:36

Hello, I enabled hash protection feature and created two test pages.

The first one generates correct hash and connect to specified room.
The second one has hashchatbox:'empty' settings and tries to connect to the same room.

Possible issue:
If I open second page it show me error - invalid hash. OK.
If I open first page it connects to chatbox room - OK.
Then I reload second page - it also connected to this (protected) room. But hash not specified!

E.g. if you connected once to protected room you can connect to it again without correct hash.
P.S. Checkbox "Auto creation by chatbox identifier is enabled" is unchecked, cache cleared.

Code below.

First page (right hash)

[== JavaScript ==]
<script type="text/javascript">
var LHCChatboxOptions = {hashchatbox:'<?php echo sha1('hash'.sha1('hash'.'demo_room'))?>',identifier:'demo_room',status_text:'Chat'};
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = '//mysite.com/livechat/index.php/chatbox/getstatus/(position)/bottom_right/(top)/300/(units)/pixels/(width)/300/(height)/300/(chat_height)/220';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
</script>

Second page (no hash)

[== JavaScript ==]
<script type="text/javascript">
var LHCChatboxOptions = {hashchatbox:'empty',identifier:'demo_room',status_text:'Chat'};
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = '//mysite.com/livechat/index.php/chatbox/getstatus/(position)/bottom_right/(top)/300/(units)/pixels/(width)/300/(height)/300/(chat_height)/220';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
</script>

remdex · 2015-07-07 16:57:21

If room is protected you have always pass this hashchatbox value.

ink · 2015-07-07 18:57:50

Yes, in theory. I described how you can avoid protection and send empty hashchatbox value and still connect to protected room.
If you connected once with correct hash you can remove hash after that and connect again with incorrect hash or without it at all.

For example: open link 1 and you will get "Invalid hash or auto creation is disabled" because this page has empty hash.
Then open link 2 with correct hash and you will create/connect to protected room.
After this open link 1 again. You will be connected to protected room using empty hash.

Last edited by ink (2015-07-07 19:47:00)

remdex · 2015-07-07 19:17:07

Seems I understood this. Most likely just logical issue related to https://github.com/LiveHelperChat/liveh … hp#L47-L95

Just perhaps more logical would be to have some non easy quesable chat identifier like it can be anythying and even if let say it would require hash all the time anyone who wants can see source code.

If you improve this part pull request are welcome smile

ink · 2015-07-07 19:46:09

Sadly I don't know how to make pull request but if you remove 90 - 94 lines ("else" part) then nobody can connect without hash and as I can see it will not break anything else. Thanks for clue about file and lines, now it works for me. Also I renamed $canCreate variable to $canCreateOrConnect to make code clearer. Thanks again smile

Last edited by ink (2015-07-07 19:47:28)

Announcement

#1 2015-07-07 13:38:36

Chatbox hash protection possible issue

#2 2015-07-07 16:57:21

Re: Chatbox hash protection possible issue

#3 2015-07-07 18:57:50

Re: Chatbox hash protection possible issue

#4 2015-07-07 19:17:07

Re: Chatbox hash protection possible issue

#5 2015-07-07 19:46:09

Re: Chatbox hash protection possible issue

Board footer