Giters

rjt / untangle

Untangle did not force SSL very well. It was too easy to bookmark a URL and enter your credentials in the clear. This is a hack to force https://

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

untangle

Has NOT been tested yet with untangle 11.0.1~svn20150105r39394release11.0-1wheezy. Untangle does not force SSL very well as of 2014-10-09.
It was too easy to bookmark a URL and unknowningly enter your credentials in the "clear" because the protection mechanism were bypassed.
Enter

http://MyUntangleFirewall.com/auth/login?url=/setup/welcome.do&realm=Administrator

and see if you can put your username and password into the box and that submit will transmit them even if http administration is turned off.

THIS NEEDS A SCRIPT TO MAKE THESE LOUSY DIRECTIONS SIMPLER. The gist is that you copy ./usr/share/untangle/mod_python/auth/index.py over the real version after making a backup. Restart. How to force untangle to only SSL encrypted usernames and passwords. 1.) Make a backup of the corresponding files on your system. 2.) pushd /usr/share/untangle/mod_python/auth/ 3.) mkdir ./archive/ 4.) Move the corresponding '*.pyc' files to ./archive/ a.) mv index.py ./archive/ 5.) copy new file(s) to their locations on your gateway. a.) mv ./usr/share/untangle/mod_python/auth/index.py #This file forces https. 6.) There will be a corresponding 7.) Verify it is installed by:

 ssh root@untangle
 # grep rjt /var/log/apache2/error.log

6.) Verify it is working by testing the public and private URLs found here:

```
 # grep '\[crit\] rjt' /var/log/apache2/error.log | grep http 
```

will tell you the URL to put into a test browser to see if SSL / https is bypassed when prompted for credentials.

These "patches" adds some defense in depth.

This is a hack to force https://

The directory structure is deep, but there is only a few files or less.

pushd to this directory and enter find . which will point you to index.py. i lied, now that it is under source control, all the .git files show up.
find . | grep -v '^./.'

We further noticed that in at least a few places, when untangle checks for "localhost", it does not consider IPv6. Matching against '127.' but not '::1'. uvmlogin.py begins to draw attention to industry-wide localhost problems.

If you have questions on what to do with these files, probably the best way to reach me is to file an issue at https://github.com/rjt/untangle/issues/ .

Robert Townley rob.townley+untangle@gmail.com

============= List of folders and files:

.
./usr
./usr/share
./usr/share/untangle
./usr/share/untangle/mod_python
./usr/share/untangle/mod_python/auth
./usr/share/untangle/mod_python/auth/index.py  #This file forces https.
./usr/share/untangle/mod_python/auth/index.py-original
./usr/lib
./usr/lib/python2.6
./usr/lib/python2.6/uvmlogin.py  #This file starts to check for IPv6 localhost.
./ReadMeUntanglePatches.md
./findUntangleFiles.sh
./LICENSE
./README.md

Security, IPv6, localhost, http, https, SSL, redirect, PasswordsInTheClear, RoughestOfPatches.

About

Untangle did not force SSL very well. It was too easy to bookmark a URL and enter your credentials in the clear. This is a hack to force https://

License:GNU General Public License v2.0

Languages

Language:Python 99.8%Language:Shell 0.2%