Jump to content

huayan889

uniGUI Subscriber
 View Profile  See their activity

  • Posts

    99

  • Joined

  • Last visited

 Content Type 

Posts posted by huayan889

    How do you deal with the problem of plaintext?

    in General

    Posted

    15 minutes ago, irigsoft said:

    I don't know the correct name of the Edit field for a username in the login form.

    I see in your sql code, you gave as an example that you use to enter username uniEdit1.

    In my code I use uniEditUser as my username (not with that name in your login form).

    So take the correct name of your login form and use it in this procedure to replace uniEditUser and uniEditpass with the correct component name.

    If you component name for username is uniEdit1 and for pass is uniEdit2

    This code will be correct:

    procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject);
    begin

        // Add Components for encryption in Application Layer
        if UniServerModule.ProtectDataList.IndexOfName(UniEdit1.Name) <= 0 then
        UniServerModule.ProtectDataList.Add(UniEdit1.Name + '=' + UniEdit1.JSName)
        // add JSName of Element for UserName
        else
        UniServerModule.ProtectDataList.Values[UniEdit1.Name] := UniEdit1.JSName;

        if UniServerModule.ProtectDataList.IndexOfName(UniEdit2.Name) <= 0 then
        UniServerModule.ProtectDataList.Add(UniEdit2.Name + '=' + UniEdit2.JSName)
        // add JSName of Element for UserPass
        else
        UniServerModule.ProtectDataList.Values[UniEdit2.Name] := UniEdit2.JSName;
    end;

    image.thumb.png.6c5b01c156ba2bd6f414bd997dfc368e.png

    image.thumb.png.d350770676e37cb7cbf4b31098bcf273.png

    image.png

    How do you deal with the problem of plaintext?

    in General

    Posted

    13 minutes ago, irigsoft said:

    Try to replace in this procedure uniEditUser and uniEditPass with component for User and Pass from loginform

     

    procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject);
    begin

        // Add Components for encryption in Application Layer
        if UniServerModule.ProtectDataList.IndexOfName(UniEditUser.Name) <= 0 then
        UniServerModule.ProtectDataList.Add(UniEditUser.Name + '=' + UniEditUser.JSName)
        // add JSName of Element for UserName
        else
        UniServerModule.ProtectDataList.Values[UniEditUser.Name] := UniEditUser.JSName;

        if UniServerModule.ProtectDataList.IndexOfName(UniEditPass.Name) <= 0 then
        UniServerModule.ProtectDataList.Add(UniEditPass.Name + '=' + UniEditPass.JSName)
        // add JSName of Element for UserPass
        else
        UniServerModule.ProtectDataList.Values[UniEditPass.Name] := UniEditPass.JSName;
    end;

     

    In Your SQL code You use UniEdit1 and UniEdit2

    "UniQuery1.Active := false;
        UniQuery1.SQL.Text := 'select * from ss_customer_info where (customer_id=' + chr(39) +
        UniEdit1.Text + chr(39) + ') and  (admin_id =' + chr(39) + UniEdit2.Text + chr(39) +
        ') and  (admin_pass=' + chr(39) + MD5(cl_decrypt(uniedit2.text)) + chr(39) + ')';
        UniQuery1.Open;"

     

          UniQuery1.Active := false;
          UniQuery1.SQL.Text := 'select * from ss_users where (customer_id=' + chr(39) + UniEdit1.Text +
            chr(39) + ') and  (user_account =' + chr(39) + UniEditUser.Text + chr(39) +
            ') and  (user_pass=' + chr(39) + MD5(cl_decrypt(UniEditPass)) + chr(39) + ')';
          UniQuery1.Open;

    How do you deal with the problem of plaintext?

    in General

    Posted

     

    4 minutes ago, irigsoft said:

    Hi, I see that in Your code, You use UniEditUser for Username, but that is not right in LoginForm.

    Maybe You must replace UniEditUser with correct component.

    I make test with empty uniGui project and just add this uniEdit field: UniEditUser and UniEditPass, they are not user name and password from loginform.

    This is posible reason !

    OK, I'll revise and test

    How do you deal with the problem of plaintext?

    in General

    Posted

    1 hour ago, irigsoft said:

    Yes, that's all and it's right.

    If there is no effect, it may be better for @Sherzod or another member of the uniGui team to help with this
    I see in the Google chrome console, the file in which the function for filling in the values is performed and maybe something needs to be changed in the file.

    Thanks

    How do you deal with the problem of plaintext?

    in General

    Posted

    LoginForm:

    procedure TUniLoginFrm.UniLoginFormReady(Sender: TObject);
    begin

        // Add Components for encryption in Application Layer
        if UniServerModule.ProtectDataList.IndexOfName(UniEditUser.Name) <= 0 then
        UniServerModule.ProtectDataList.Add(UniEditUser.Name + '=' + UniEditUser.JSName)
        // add JSName of Element for UserName
        else
        UniServerModule.ProtectDataList.Values[UniEditUser.Name] := UniEditUser.JSName;

        if UniServerModule.ProtectDataList.IndexOfName(UniEditPass.Name) <= 0 then
        UniServerModule.ProtectDataList.Add(UniEditPass.Name + '=' + UniEditPass.JSName)
        // add JSName of Element for UserPass
        else
        UniServerModule.ProtectDataList.Values[UniEditPass.Name] := UniEditPass.JSName;
    end;
     

    UniMainModule:

    procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean);
    var
      sUser, sPass, fpName, fpValue, fpCompName, s: String;
      I, J: integer;

      sAjaxValues, sRefererValues: TStringList;
      REQ: TIdHTTPRequestInfo; // uIdCustomHTTPServer
    begin

      Try

        // replace  ARequestInfo  with TUniGUISession(ASession).ARequest

        // If (sSessionID <> '')
        If (POS('_fp_', TUniGUISession(ASession).ARequest.UnparsedParams) > 0) AND
          (UniServerModule.ProtectDataList.Count > 0) then
        begin
          sAjaxValues := TStringList.Create;
          sAjaxValues.Delimiter := '&';
          sAjaxValues.StrictDelimiter := true;
          sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(TUniGUISession(ASession)
            .ARequest.UnparsedParams);
          TRY
            if (sAjaxValues.IndexOfName('_fp_') > 0) then
            begin
              for J := 0 to UniServerModule.ProtectDataList.Count - 1 do
              begin
                fpCompName := UniServerModule.ProtectDataList.ValueFromIndex[J];
                fpName := sAjaxValues.Values[fpCompName];
                fpValue := '';
                if fpName <> '' then
                begin
                  for I := Length(fpName) downto 1 do
                  begin
                    case fpName[I] of
                      '%':
                        begin
                          delete(fpValue, 1, 2);
                          break;
                        end
                    else
                      fpValue := fpName[I] + fpValue;
                    end;
                  end; // for I
                  sAjaxValues.Values[fpCompName] := StringReplace(sAjaxValues.Values[fpCompName],
                    fpValue, '123', []);

                  TUniGUISession(ASession).ARequest.Params.Values['_fp_'] :=
                    '&' + sAjaxValues[sAjaxValues.IndexOfName(fpCompName)];
                  sAjaxValues.Values['_fp_'] :=
                    HTTPEncode('&' + sAjaxValues[sAjaxValues.IndexOfName(fpCompName)]);
                  sAjaxValues.delete(sAjaxValues.IndexOfName(fpCompName));

                  TUniGUISession(ASession).ARequest.UnparsedParams := sAjaxValues.DelimitedText;

                  TUniGUISession(ASession).ARequest.FormParams := sAjaxValues.DelimitedText;
                end; // If
              end; // for J
            end; // If
            sAjaxValues.Clear;
            sAjaxValues.Free;

          EXCEPT

          END;
        end;
      Finally

      End;
    end;

     

    UniServerModule:

      public
        { Public declarations }
        ProtectDataList: TStringList;
      end;
     

    procedure TUniServerModule.UniGUIServerModuleBeforeInit(Sender: TObject);
    begin

      ProtectDataList := TStringList.Create;
     

    end;

    procedure TUniServerModule.UniGUIServerModuleBeforeShutdown(Sender: TObject);
    begin

      ProtectDataList.Clear;
      ProtectDataList.Free;

    end;

    How do you deal with the problem of plaintext?

    in General

    Posted

    1 hour ago, irigsoft said:

    Please try with other maner:

    will use TUniMainModule.UniGUIMainModuleHandleRequest

    procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject;  var Handled: Boolean);

    var
      sUser,
      sPass,
      fpName,fpValue,
      fpCompName,
      s                 : String;
      I,J               : Integer;

      sAjaxValues,
      sRefererValues    : TStringList;
      REQ               : TIdHTTPRequestInfo; // uIdCustomHTTPServer
    begin

    Try

    //replace  ARequestInfo  with TUniGUISession(ASession).ARequest

    //If (sSessionID <> '')
    If (POS ('_fp_',TUniGUISession(ASession).ARequest.UnparsedParams)> 0)
    AND (UniServerModule.ProtectDataList.Count > 0)
    then begin
    sAjaxValues := TStringList.Create;
    sAjaxValues.Delimiter := '&';
    sAjaxValues.StrictDelimiter := True;
    sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(TUniGUISession(ASession).ARequest.UnparsedParams);
    TRY
      if (sAjaxValues.IndexOfName ('_fp_') > 0)
      then begin
          for J := 0 to UniServerModule.ProtectDataList.Count - 1 do begin
            fpCompName := UniServerModule.ProtectDataList.ValueFromIndex [J];
            fpName := sAjaxValues.Values[fpCompName];
            fpValue := '';
            if fpName <> '' then begin
              for I := Length (fpName) downto 1 do begin
                  case fpName [I] of
                       '%' : begin
                            delete (fpValue,1,2);
                            break;
                       end
                       else fpValue := fpName [I] + fpValue;
                  end;
              end;//for I
              sAjaxValues.Values[fpCompName] := StringReplace (sAjaxValues.Values[fpCompName],fpValue,'123',[]);

              TUniGUISession(ASession).ARequest.Params.Values ['_fp_'] := '&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)];
              sAjaxValues.Values ['_fp_'] := HTTPEncode ('&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]);
              sAjaxValues.Delete (sAjaxValues.IndexOfName (fpCompName));

              TUniGUISession(ASession).ARequest.UnparsedParams := sAjaxValues.DelimitedText;

              TUniGUISession(ASession).ARequest.FormParams := sAjaxValues.DelimitedText;
            end;//If
          end;//for J
      end;//If
      sAjaxValues.Clear;
      sAjaxValues.Free;

    EXCEPT

    END;
    end;

     

    I test this two functions in Google chrome console and make memory snapshot.

    when I use UniGUIServerModuleHTTPCommand, then console show me test value like submittedvalue

    when i use UniGUIMainModuleHandleRequest , then console show me test value like lastvalue

    So there are some differenses , and maybe last one funcions will giv You the solution.

     

    run fpcompName=''

    image.thumb.png.7f25a518cf06786614769a7a48619138.png

     

    How do you deal with the problem of plaintext?

    in General

    Posted

    7 hours ago, irigsoft said:

    So, resolution is this:

     

    uses HTTPApp;

    //

    procedure TUniServerModule.UniGUIServerModuleBeforeInit(Sender: TObject);
    begin

    //create list with elements for encriptions

    ProtectDataList := TStringList.Create;

    //We can load all names from file with settings
    ProtectDataList.loadfromFile ('file with names of elements');

    end;

     

    procedure TForm_General.UniFormReady(Sender: TObject);
    begin
    //Add Components for encryption in Application Layer
    if UniServerModule.ProtectDataList.IndexOfName (UniEditUser.Name) <= 0 then
        UniServerModule.ProtectDataList.Add (UniEditUser.Name + '=' + UniEditUser.JSName) //add JSName of Element for UserName
    else UniServerModule.ProtectDataList.Values [UniEditUser.Name] := UniEditUser.JSName; 

    if UniServerModule.ProtectDataList.IndexOfName (UniEditPass.Name) <= 0 then
        UniServerModule.ProtectDataList.Add (UniEditPass.Name + '=' + UniEditPass.JSName) //add JSName of Element for UserPass
    else UniServerModule.ProtectDataList.Values [UniEditPass.Name] := UniEditPass.JSName;
    end;

     

    procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
      ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
      var Handled: Boolean);

    var
      fpName,fpValue,
      fpCompName            : String;
      sAjaxValues               : TStringList;
      I,J                               :  Integer;

    begin

    // if there is "_ft_" data on request, we will replace everything in it

    If (POS ('_fp_',ARequestInfo.UnparsedParams)> 0)
    AND (UniServerModule.ProtectDataList.Count > 0)
    then begin
    sAjaxValues := TStringList.Create; //create list with all values from request
    sAjaxValues.Delimiter := '&';
    sAjaxValues.StrictDelimiter := True;
    sAjaxValues.DelimitedText := uniGUIJSUtils.URIDecode(ARequestInfo.UnparsedParams); //decode URL data from ARequestInfo
    TRY
      if (sAjaxValues.IndexOfName ('_fp_') > 0)
      then begin
          //for a list of items for which we want the data to be encrypted
          for J := 0 to UniServerModule.ProtectDataList.Count - 1 do begin
            fpCompName := UniServerModule.ProtectDataList.ValueFromIndex [J]; //get JSName of component in Request
            fpName := sAjaxValues.Values[fpCompName]; //find data for jsname in Request
            fpValue := '';
            if fpName <> '' then begin
              for I := Length (fpName) downto 1 do begin
                  case fpName [I] of
                       '%' : begin                        
                            delete (fpValue,1,2); //delete the last 2 characters, they were always% 02, so if% is found, delete 02
                            break;
                       end
                       else fpValue := fpName [I] + fpValue;
                  end;
              end;//for I
              //replace value for component  , 123 is new value of data. This can be replaced with MD5 (fpValue)
              sAjaxValues.Values[fpCompName] := StringReplace (sAjaxValues.Values[fpCompName],fpValue,'123',[]);
             sAjaxValues.Values ['_fp_'] := HTTPEncode ('&' + sAjaxValues [sAjaxValues.IndexOfName(fpCompName)]);          //URL encoded all data for '_fp_'
              sAjaxValues.Delete (sAjaxValues.IndexOfName (fpCompName)); 

              ARequestInfo.UnparsedParams := sAjaxValues.DelimitedText; //set new values
            end;//If
          end;//for J
      end;//If
      sAjaxValues.Clear;
      sAjaxValues.Free;

    EXCEPT

    END;
    end;

    end;

     

    This will replace in Request values in uniEditUser and uniEditPass with '123'.

    Please send me feedback with third party test results.

    Just let the third party company test, the result is the same.
    This problem can only be solved by encrypting the information from the browser.

    How do you deal with the problem of plaintext?

    in General

    Posted

    17 hours ago, irigsoft said:

    Would you test the code I will send you. If possible with feedback from read data?

    I need some time to find a way to protect the application layer and return the code to you.
    If you are clear with a method that can be applied to protect the layer, I would be happy to share and find a solution together

    I'm not on the unigui team!

    I can test the code you sent, 315795176& qq.com , replace with @&

    How do you deal with the problem of plaintext?

    in General

    Posted

    HTTPS is the business data of encrypted transport layer. Our packet capture is the application layer data, that is, the local data. When we process the account password, it has not reached the transport layer. So adding certificate can't solve the problem of account password plaintext transmission.

    How do you deal with the problem of plaintext?

    in General

    Posted

    It is a security problem detected by a third party. The code is very simple:

    procedure TUniLoginFrm.LoginButClick(Sender: TObject);
    begin

    ...

        UniQuery1.Active := false;
        UniQuery1.SQL.Text := 'select * from ss_customer_info where (customer_id=' + chr(39) +
        UniEdit1.Text + chr(39) + ') and  (admin_id =' + chr(39) + UniEdit2.Text + chr(39) +
        ') and  (admin_pass=' + chr(39) + MD5(cl_decrypt(uniedit2.text)) + chr(39) + ')';
        UniQuery1.Open;

    .....    
    end;

×
×
  • Create New...