Announcement

  •  » Requests
  •  » [resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames

#1 2021-01-20 17:06:35

esbeeb
Member
2021-01-20
9

[resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames

Hello,

I'm trying to understand why there are a bunch of .js files with ugly, random filenames getting automatically generated in my /_data/combined/

The js code inside them is heavily obfuscated, with all whitespace removed!  Is that really necessary?  Does that removal of whitespace speed up downloads by a whopping 1%?  Can this dodgy-looking mechanism be explained, please?  When I see so-called "data" (which ends up being **code**, not data) which is *not* in the database, that to me is a red flag, since I would expect all "data" to be in the *database*, not out in the filesystem.  If it's some sort of cache, then perhaps the folder name "_data" should be renamed "cache"?

This obfuscated javascript code looks like a hacker's delight - it looks to me like a very juicy opportunity to hide malicious code there, and since it's not human readable, nobody would notice.

Please, assure me that the strange goings-on inside /_data/combined/ are somehow actually valuable.

Even if this mechanism is somehow unavoidable, according to your rationale, oh Piwigo devs, then I submit for your consideration an opportunity to harden up the security, of the slightly random filenames you are using within /_data/combined/.  The filenames are 7 characters (not including .js extensions), being either numbers, or lowercase letters.  This amount of randomness in your filenames is very low "entropy" (which is to say, the security is "Poor"), when measured by a password-testing utility such as KeepassXC:

https://ebt.support/images/entropy_bad.png

If you were wanting instead an "Excellent" amount of entropy, then consider having 23-character filenames (not including .js extension):

https://ebt.support/images/entropy_good_all_lowercase.png

Note: you can get away with "Excellent" entropy in 18-character filenames, if you would be willing to use a mixture of upper and lowercase characters:

https://ebt.support/images/entropy_good.png



    Piwigo 11.0.0 Check for upgrade
    Operating system: Linux
    PHP: 7.4.3 (Show info) [2021-01-20 08:51:27]
    MySQL: 5.5.5-10.3.25-MariaDB-0ubuntu0.20.04.1 [2021-01-20 08:51:27]
    Graphics Library: GD 2.2.5


Piwigo URL: http://

Last edited by esbeeb (2021-01-20 17:11:50)

Offline

 

#2 2021-01-20 18:05:21

erAck
Only trying to help
2015-09-06
1414

Re: [resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames

There is no connection between random file names and password entropy. The combined .js files exist to cache code generated from templates, any random file name is as good as any other as long as they don't clash. There's also no "security" value involved. You're confusing things.


Running Piwigo at https://erack.net/gallery/

Offline

 

#3 2021-01-20 18:51:55

esbeeb
Member
2021-01-20
9

Re: [resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames

OK, thanks for setting me at ease.

Offline

 

#4 2021-01-21 07:38:59

nicolas
Former Piwigo Team
2004-12-30
1213

Re: [resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames

You're absolutly right, the _data directory is a cache. And you can change its name overriding it in local/config/config.inc.php file by adding :

Code:

$conf['data_location'] = 'cache/';  // or whatever filename you want

Offline

 
  •  » Requests
  •  » [resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2022 · Contact