Coder Social home page Coder Social logo

hap's Introduction

hap's People

Contributors

techienickb avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

hap's Issues

Booking System - Unauthorised

Hello,

I am trying to use the Booking System function of Home Access Plus+ for internal use. However, whenever a member of staff logs in the Unauthorised error page is always thrown.

I have ensured that Domain Users has been added to the grant access in web.config.

Is there a way of completely overriding/bypassing this granting of access in web.config?

Many thanks.

Asure AD

is there any way / plans to make the user card work with azure AD ?

Rewrite to .Net MVC Core

Hi Nick,

Fantastic product.

How would you feel for me to start rewriting HAP to the MVC structure and also updating it to .NET Core allowing for it to be run on Linux servers?

I think if we can achieve this along with mobile first css, this will be a one stop shop for high schools and academes wanting home access (not that it already is).

What are your thoughts?

Thanks

10.6 upgrade core

Hi,

Having issues having done the core 10.6 upgrade, we have overwrite the files apart from the config and the login is ok but trying to opening the any network drive just hangs at loading.

What is this the case?

Password Storage

HAP requires a valid username and password combination to connect to Active Directory so it can validate user logins and retrieve their files. Once the Administrator enters the password it is encrypted and salted using AES encryption, this is not safe for multiple reasons, most notably the fact that the key and salt are publicly exposed in the Git repository. Anyone who has access to the passwords essentially has them in plain text. You can easily just reverse engineer encryption. example

using System;
using System.Text;
using System.Security.Cryptography;
using System.IO;

public class Program {
    static private string _password = "";

    static private string _key = "";
    static private byte[] _salt = Encoding.ASCII.GetBytes("");

    public static void Main()
    {
      string plaintext = null;
      Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(Program._key, Program._salt);

      var aesAlg = new RijndaelManaged();
      aesAlg.Key = key.GetBytes(aesAlg.KeySize / 8);
      aesAlg.IV = key.GetBytes(aesAlg.BlockSize / 8);
      ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
      byte[] bytes = Convert.FromBase64String(Program._password);
      using (MemoryStream msDecrypt = new MemoryStream(bytes)) {
        using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) {
          using (StreamReader srDecrypt = new StreamReader(csDecrypt)) plaintext = srDecrypt.ReadToEnd();
        }
      }

      Console.WriteLine(plaintext);
    }
}

HTML Sanitisation

Anyone with permissions to create an announcement can write any Javascript code in the announcement edit prompt and it will be served to anyone visiting the website. User cookies are protected by the HttpOnly header, so it can't steal those. However, it can still inject itself into things like the Reset Password section and/or redirect the user to something else malicious.

Demonstration:

image

Offending code:

  [WebInvoke(UriTemplate = "Save", ResponseFormat=WebMessageFormat.Json, Method = "POST", BodyStyle = WebMessageBodyStyle.WrappedRequest)]
  public bool Save(string content, bool show)
  {
      XmlDocument doc = new XmlDocument();
      doc.Load(HttpContext.Current.Server.MapPath("~/App_Data/Announcement.xml"));
      XmlNode node = doc.SelectSingleNode("/announcement");
      node.Attributes[0].Value = show.ToString();
      node.InnerXml = string.Format("<![CDATA[ {0} ]]>", HttpUtility.UrlDecode(content, System.Text.Encoding.Default));
      doc.Save(HttpContext.Current.Server.MapPath("~/App_Data/Announcement.xml"));
      return true;
  }

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.