[jitsi-dev] HTTP provisioning bug


#1

Hi,

It seems to me there is a bug in HTTP provisioning. I enabled it by
entering the following URI into Manual Provisioning URI field:

http://192.168.1.51/index.php?username=${username}&password=${password}

index.php always returns 401 Unauthorized:

<?php
header('HTTP/1.0 401 Unauthorized');
echo "Access denied"
?>

Now when I start Jitsi it prompts for a username and password and when
I click "OK" it POSTs to the web server which returns 401 response.
Jitsi instead of showing a message like "Incorrect username and/or
password. Please try again." launches a "DoS attack" again a web server
and starts an infinite loop with empty POST requests.

Please see HTTP trace log here: http://pastebin.com/EGtR2UcJ

The same happens if "Cancel" button is pressed.

Regards,
Chris


#2

Hey

I took a quick look and this seems to be a non-trivial bug introduced with the HttpUtils in April.

Basically the Provisioning-Service doesn't use standard HTTP-Basic-Auth but posts the username/password as form fields. This causes the standard auth handling of HttpUtils to fail.

My recommendation would be to change to Provisioning-Service to use standard HTTP-Basic-Auth instead of "posting" the login data. This would be more in line with normal http requests anyway, because currently we're posting login data even if we're not asked for them.

Seb, you recently worked on the Provisioning-Service: What do you think? (and of course all others too).

Regards,
Ingo

···

-----Original Message-----
From: chris@wima.co.uk [mailto:chris@wima.co.uk]
Sent: Samstag, 11. Juni 2011 11:19
To: dev@jitsi.java.net
Subject: [jitsi-dev] HTTP provisioning bug
Hi,

It seems to me there is a bug in HTTP provisioning. I enabled it by
entering the following URI into Manual Provisioning URI field:

http://192.168.1.51/index.php?username={username}&password={password}

index.php always returns 401 Unauthorized:

<?php
header('HTTP/1.0 401 Unauthorized');
echo "Access denied"
?>

Now when I start Jitsi it prompts for a username and password and when
I click "OK" it POSTs to the web server which returns 401 response.
Jitsi instead of showing a message like "Incorrect username and/or
password. Please try again." launches a "DoS attack" again a web server
and starts an infinite loop with empty POST requests.

Please see HTTP trace log here: http://pastebin.com/EGtR2UcJ

The same happens if "Cancel" button is pressed.

Regards,
Chris


#3

На 12.06.11 15:14, Bauersachs Ingo написа:

I took a quick look and this seems to be a non-trivial bug introduced
with the HttpUtils in April.

Basically the Provisioning-Service doesn't use standard
HTTP-Basic-Auth but posts the username/password as form fields. This
causes the standard auth handling of HttpUtils to fail.

Unless I am misunderstanding, that behaviour was in the provisioning
service from the very start.

My recommendation would be to change to Provisioning-Service to use
standard HTTP-Basic-Auth instead of "posting" the login data. This
would be more in line with normal http requests anyway, because
currently we're posting login data even if we're not asked for them.

We don't need to change the Provisioning Service in order to have that.
We only send the user name and the password in the post request if they
are part of the provisioning URI entered by the user. Apparently, this
is required by some provisioning systems which is why we included it.

This doesn't explain the problem described by Chris though. Chris, could
you please open an issue? We'll have a look.

Cheers,
Emil

Seb, you recently worked on the Provisioning-Service: What do you
think? (and of course all others too).

Regards, Ingo

[mailto:chris@wima.co.uk] Sent: Samstag, 11. Juni 2011 11:19 To:
dev@jitsi.java.net Subject: [jitsi-dev] HTTP provisioning bug Hi,

It seems to me there is a bug in HTTP provisioning. I enabled it
by entering the following URI into Manual Provisioning URI field:

http://192.168.1.51/index.php?username={username}&password={password}

index.php always returns 401 Unauthorized:

···

-----Original Message----- From: chris@wima.co.uk

<?php header('HTTP/1.0 401 Unauthorized'); echo "Access denied" ?>

Now when I start Jitsi it prompts for a username and password and
when I click "OK" it POSTs to the web server which returns 401
response. Jitsi instead of showing a message like "Incorrect
username and/or password. Please try again." launches a "DoS
attack" again a web server and starts an infinite loop with empty
POST requests.

Please see HTTP trace log here: http://pastebin.com/EGtR2UcJ

The same happens if "Cancel" button is pressed.

Regards, Chris

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31


#4

Hi,

The bug report is now available at: http://java.net/jira/browse/JITSI-954

Regards,
Chris

···

On 12 June 2011 17:49, Emil Ivov <emcho@jitsi.org> wrote:

We don't need to change the Provisioning Service in order to have that.
We only send the user name and the password in the post request if they
are part of the provisioning URI entered by the user. Apparently, this
is required by some provisioning systems which is why we included it.

This doesn't explain the problem described by Chris though. Chris, could
you please open an issue? We'll have a look.

Cheers,
Emil


#5

Hi,

build.3553 addresses this issue. Can you try is it fixed for you?

Thanks
damencho

···

On Wed, Jun 15, 2011 at 10:35 AM, Chris Maciejewski <chris@wima.co.uk> wrote:

Hi,

The bug report is now available at: http://java.net/jira/browse/JITSI-954

Regards,
Chris

On 12 June 2011 17:49, Emil Ivov <emcho@jitsi.org> wrote:

We don't need to change the Provisioning Service in order to have that.
We only send the user name and the password in the post request if they
are part of the provisioning URI entered by the user. Apparently, this
is required by some provisioning systems which is why we included it.

This doesn't explain the problem described by Chris though. Chris, could
you please open an issue? We'll have a look.

Cheers,
Emil


#6

Hi,

Thanks. I can confirm the POST authentication behaviour is as
expected. When invalid or no credentials are submitted, Jitsi will
display login window again.

... however I have the following question. How do I create a new SIP
account via Manual HTTP provisioning. Let's say I start Jitsi with no
SIP account configured, and by server returns:

provisioning.ALLOW_PREFIX=net.java
net.java.sip.communicator.impl.sip.ACCOUNT_UID=SIP\:user@sip.local
net.java.sip.communicator.impl.sip.DISPLAY_NAME=John Smith
net.java.sip.communicator.impl.sip.PASSWORD=secret
net.java.sip.communicator.impl.sip.SERVER_ADDRESS=sip.local
net.java.sip.communicator.impl.sip.USER_ID=user@sip.local

I would expect Jitsi to automatically create a SIP account using the
above details, but nothing happens.

Any suggestions very much appreciated.

Regards,
Chris

···

On 20 June 2011 17:56, Damian Minkov <damencho@sip-communicator.org> wrote:

Hi,

build.3553 addresses this issue. Can you try is it fixed for you?

Thanks
damencho


#7

Hey

... however I have the following question. How do I create a new SIP
account via Manual HTTP provisioning. Let's say I start Jitsi with no
SIP account configured, and by server returns:

provisioning.ALLOW_PREFIX=net.java
net.java.sip.communicator.impl.sip.ACCOUNT_UID=SIP\:user@sip.local
net.java.sip.communicator.impl.sip.DISPLAY_NAME=John Smith
net.java.sip.communicator.impl.sip.PASSWORD=secret
net.java.sip.communicator.impl.sip.SERVER_ADDRESS=sip.local
net.java.sip.communicator.impl.sip.USER_ID=user@sip.local

I would expect Jitsi to automatically create a SIP account using the
above details, but nothing happens.

You need to return the full account details. Take a look at the local config file when you created an account manually.

Something along these lines:

net.java.sip.communicator.impl.protocol.sip.acc1305126007137=acc1305126007137
net.java.sip.communicator.impl.protocol.sip.acc1305126007137.ACCOUNT_ICON_PATH=...

(The acc1305126007137 part is created at random when you create a new account, it can be the same on all computers)

Regards,
Ingo


#8

Hey Ingo,

Thank you. Indeed when I added missing lines everything works as expected.

Regards,
Chris

···

On 20 June 2011 22:18, Bauersachs Ingo <ingo.bauersachs@fhnw.ch> wrote:

Hey

... however I have the following question. How do I create a new SIP
account via Manual HTTP provisioning. Let's say I start Jitsi with no
SIP account configured, and by server returns:

provisioning.ALLOW_PREFIX=net.java
net.java.sip.communicator.impl.sip.ACCOUNT_UID=SIP\:user@sip.local
net.java.sip.communicator.impl.sip.DISPLAY_NAME=John Smith
net.java.sip.communicator.impl.sip.PASSWORD=secret
net.java.sip.communicator.impl.sip.SERVER_ADDRESS=sip.local
net.java.sip.communicator.impl.sip.USER_ID=user@sip.local

I would expect Jitsi to automatically create a SIP account using the
above details, but nothing happens.

You need to return the full account details. Take a look at the local config file when you created an account manually.

Something along these lines:

net.java.sip.communicator.impl.protocol.sip.acc1305126007137=acc1305126007137
net.java.sip.communicator.impl.protocol.sip.acc1305126007137.ACCOUNT_ICON_PATH=...

(The acc1305126007137 part is created at random when you create a new account, it can be the same on all computers)

Regards,
Ingo