[CWB] CQPweb: Heartbleed recovery

Wed Apr 9 21:07:08 CEST 2014

Hi all,

If you are running a CQPweb server accessible via the wide open internet, please read the following.

This week, a catastrophic security issue affecting OpenSSL has been reported, called Heartbleed.

For further info see:

http://heartbleed.com
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
and many assorted articles in various media.

(NB "catastrophic" is Scheier's choice of adjective not mine!)

The site I've been using to check for vulnerabilities is http://possible.lv/tools/hb/ . There are others out there including http://filippo.io/Heartbleed/ .

If you run your CQPweb server over HTTP, then your users' credentials are totally insecure anyway. In that case, move along. Nothing to see here. Ignore the rest of this message.

If you run your CQPweb server over HTTPS, and you are running an OS/web-daemon version affected by Heartbleed, then there is a very high probability that Heartbleed has been used to compromise your server (in the article linked above Schneier says "the odds are close to one"). To restore security, you need to (a) patch the software; (b) change your public / private keys and certificates; change all CQPweb passwords.

FIRST - make whatever software updates are necessary to your machine to get to the point where you are running CQPweb in an environment without the vulnerability (or ask your system administrator to do so, and then wait till they have done it). Exactly what you need to do will depend on what OS etc. you are running.

SECOND - get a new public/private key pair and update your SSL certificate (or bundle if you're using a bundle) (or ask your system administrator to do so, and then wait till they have done it).

THIRD - make all your users change their passwords.

Note it is essential to do these steps in order: there is for example no point changing passwords till after you change your certificates, since anyone who has swiped your old private key/certificate info while the Heartbleed hole existed could then swipe the new passwords.

That last step is a bit of a pain because the planned tools that would allow you to do this quickly and easily through the sysadmin control panel have not been written yet. Here's how to do it manually in versions greater than 3.1:

1.    Use the MySQL command line client to connect to your CQPweb database (either as root or with the account used by CQPweb itself).

2.    Force all users to log out by deleting all persistent login tokens:

a.    delete from user_cookie_tokens;

3.    Delete all existing passwords (quickly after doing the previous step so no one has time to log in again).

a.    update user_info set passhash= "$2a$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ;

4.    You now need to send an email message to your users to instruct them to change their passwords. To get a list of email addresses:

a.    select email from user_info where email IS NOT NULL AND email != "" INTO OUTFILE "/specify/some/path/here";

b.    Send an email to all these addresses, explaining why their passwords no longer work, and pointing them to the page where they can re-set the password.

5.    Now, find out if you have any users who do not have email addresses connected to their accounts:

a.    select username from user_info where email IS NULL or email = "" ;

b.    (only accounts created in pre-3.1.0 with no email specified can be of this kind.)

6.    You will need to change the password for each of these users manually. (To log in, you will of course need to change your own password first!)

a.    You can do this via the "Manage users" screen in admin control panel; then tell each user what their new password is.

b.    To automate this for many users: write a script hitting this URL (whilst logged in as yourself):

c.    https://server.net/path/to/cqpweb/adm/index.php?userForPasswordReset=USERNAME_HERE&newPassword=NEW_PASSWORD_HERE&admFunction=resetUserPassword&uT=y

7.    ALTERNATIVE to step 6: add an email for these to the database:

a.    update user_info set email="something at somewhere.net" where username="USERNAME";

b.    ... and then they will be able to change their passwords themselves via the web interface as per above.

In versions before 3.1.0:

*         If you are not using CQPweb's Apache-based username management... then you need to give each user a new password via the appropriate tools for {whatever username/password system you are using}, and inform them of what it is.

*         If you are using CQPweb's Apache-based username management... then you need to use the "Create new user (or reset user password)" function under "Manage users" in the admin control panel. Again, give each user a new password, then inform them of what it is.

*         To automate use of that web-form for a large number of users, write a script to hit this URL once for each user:

o    https://YOUR_USERNAME:YOUR_PASSWORD@server.net/path/to/cqpweb/adm/index.php?newUsername=USERNAME_HERE&newPassword=NEW_PASSWORD_HERE&admFunction=newUser&uT=y

Please note that all the above procedures are untested. (I haven't been able to do it on my own v3.1.5 server yet because I am still at the stage of getting my certificates changed... and I no longer have any machines running 3.0.x.) So - if you spot any problems, please let the list know.

Phew! That's it!

best

Andrew.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://devel.sslmit.unibo.it/pipermail/cwb/attachments/20140409/e5a3105f/attachment-0001.html>