Hello,

I am trying to use the Booking System function of Home Access Plus+ for internal use. However, whenever a member of staff logs in the Unauthorised error page is always thrown.

I have ensured that Domain Users has been added to the grant access in web.config.

Is there a way of completely overriding/bypassing this granting of access in web.config?

Many thanks.

HAP requires a valid username and password combination to connect to Active Directory so it can validate user logins and retrieve their files. Once the Administrator enters the password it is encrypted and salted using AES encryption, this is not safe for multiple reasons, most notably the fact that the key and salt are publicly exposed in the Git repository. Anyone who has access to the passwords essentially has them in plain text. You can easily just reverse engineer encryption. example

using System;
using System.Text;
using System.Security.Cryptography;
using System.IO;

public class Program {
    static private string _password = "";

    static private string _key = "";
    static private byte[] _salt = Encoding.ASCII.GetBytes("");

    public static void Main()
    {
      string plaintext = null;
      Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(Program._key, Program._salt);

      var aesAlg = new RijndaelManaged();
      aesAlg.Key = key.GetBytes(aesAlg.KeySize / 8);
      aesAlg.IV = key.GetBytes(aesAlg.BlockSize / 8);
      ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
      byte[] bytes = Convert.FromBase64String(Program._password);
      using (MemoryStream msDecrypt = new MemoryStream(bytes)) {
        using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) {
          using (StreamReader srDecrypt = new StreamReader(csDecrypt)) plaintext = srDecrypt.ReadToEnd();
        }
      }

      Console.WriteLine(plaintext);
    }
}

Hi Nick,

Fantastic product.

How would you feel for me to start rewriting HAP to the MVC structure and also updating it to .NET Core allowing for it to be run on Linux servers?

I think if we can achieve this along with mobile first css, this will be a one stop shop for high schools and academes wanting home access (not that it already is).

What are your thoughts?

Thanks

skid

is there any way / plans to make the user card work with azure AD ?

Hi,

Having issues having done the core 10.6 upgrade, we have overwrite the files apart from the config and the login is ok but trying to opening the any network drive just hangs at loading.

What is this the case?

Hi,

Is it possible to implement SAML / Signal Sign On Support

Thanks

Anyone with permissions to create an announcement can write any Javascript code in the announcement edit prompt and it will be served to anyone visiting the website. User cookies are protected by the HttpOnly header, so it can't steal those. However, it can still inject itself into things like the Reset Password section and/or redirect the user to something else malicious.

Demonstration:

Offending code:

  [WebInvoke(UriTemplate = "Save", ResponseFormat=WebMessageFormat.Json, Method = "POST", BodyStyle = WebMessageBodyStyle.WrappedRequest)]
  public bool Save(string content, bool show)
  {
      XmlDocument doc = new XmlDocument();
      doc.Load(HttpContext.Current.Server.MapPath("~/App_Data/Announcement.xml"));
      XmlNode node = doc.SelectSingleNode("/announcement");
      node.Attributes[0].Value = show.ToString();
      node.InnerXml = string.Format("<![CDATA[ {0} ]]>", HttpUtility.UrlDecode(content, System.Text.Encoding.Default));
      doc.Save(HttpContext.Current.Server.MapPath("~/App_Data/Announcement.xml"));
      return true;
  }