WordPress.org

Forums

Secure XML-RPC
[resolved] Confusion about calculating the Authorization header (14 posts)

  1. benjib0t
    Member
    Posted 1 year ago #

    Hello,
    First off, thanks for the making this plugin! I am trying to extend the python wordpress-xmlrpc library to work with your plugin. I think all I need to do is compute and encode the header and pass it along to the server, but when I do so, I get an error that says username and password are invalid.

    wordpress_xmlrpc.exceptions.InvalidCredentialsError: Incorrect username or password.

    This is the bit of python code that sends out the header:

    23   def send_request(self, connection, handler, request_body):
     24       pk_hash = ba.hexlify(b64.b64encode(hl.sha256(self.private_key+request_body).hexdigest()))
     25       auth_header = self.public_key+'||'+pk_hash
     26       if (self.accept_gzip_encoding and gzip):
     27           connection.putrequest("POST", handler, skip_accept_encoding=True)
     28           connection.putheader("Accept-Encoding", "gzip")
     29           connection.putheader("Authorization",auth_header)
     30       else:
     31           connection.putrequest("POST", handler)
     32           connection.putheader("Authorization",auth_header)
     33

    I am not 100% sure I am computing the header correctly - I notice in the example you provide the Authorization header is entirely in hex - the second half is not in the base64 alphabet (as it is in my code)

    The header I compute for your example:

    req_body= \
    '''<methodCall>
      <methodName>wp.getPosts</methodName>
      <params>
        <param>
          <value><i4>1</i4></value>
        </param>
        <param>
          <value><string></string></value>
        </param>
    </methodCall>'''
    req_body= '<?xml version="1.0?>'  + ''.join(req_body.split())
    private_key = '7647a19f5bf3e9fd001419900ad48a54'
    public_key = 'b730db0864b0d4453ba6a26ad6613cd4'
    hdr = public_key + '||' + b64.standard_b64encode(hl.sha256(private_key + req_body).hexdigest())
    print hdr

    gives me

    b730db0864b0d4453ba6a26ad6613cd4||MGE0MDBlYWQ5YTZlMDQzOTJjYTE2MTY4ODgyY2I4MGI2NTU0YTAxMDZmMDI1NTYxY2U2NmVkOGViNzU0ZWYzZQ==

    in constrast to your example which is

    b730db0864b0d4453ba6a26ad6613cd4||f0b73fddf91b2358bc28faa745c8c25d3b0d9a36f5456e8181154c54874d81e5

    Thanks for any help!

    http://wordpress.org/plugins/secure-xml-rpc/

  2. upeuker
    Member
    Posted 1 year ago #

    Do you have a solution?

    Thx
    Uwe

  3. benjib0t
    Member
    Posted 1 year ago #

    No, I never did find a solution. I dug around in the source, and found that the plugin itself computed sha256(private_key + content), not b64(sha256(...)), and stopped there. It seems like this plugin doesn't quite work as described, but maybe others have had better luck.

    To get arouund using this plugin, I my python script that prompts for a password for every post. If you're interested, it's here: https://github.com/benjaminaschultz/pypress

  4. upeuker
    Member
    Posted 1 year ago #

    Thx for the information.
    I will take a look on your script-

  5. skreutzer
    Member
    Posted 9 months ago #

    Yes, only the Base64 encoding is missing when calculating the hash for authentication on the server side – I filed a pull request for it, but one could also fix this manually by calling the base64_encode() function of PHP. The other option is (which should work with the current 0.1.0 version of the plugin), if you hash with sha256 on client side only, omitting at least b64.b64encode()/b64.standard_b64encode in your Python script. Please note that Base64 encoding doesn't add anything to security, it's there to have a uniform way for data handling, maybe to prevent that the HTTP header gets malformed. Prompting for the password, not storing it anywhere, doesn't help in any way, since the Secure XML-RPC plugin fixes the problem that the password gets transmitted over the network in plain text. If the password (or private key) gets or doesn't get stored locally, is a question completely unrelated to Secure XML-RPC.

  6. Eric Mann
    Member
    Plugin Author

    Posted 9 months ago #

    You're misunderstanding how the code works.

    A sha256 hash is a stream of bits that isn't printable. By default, PHP's sha256 function also base64 encodes the output. I included the reference to base64 in the documentation because people trying to implement the headers in other code systems were attempting to send an unencoded hash.

  7. skreutzer
    Member
    Posted 9 months ago #

    I don't think that hash() does Base64 encoding, because $raw_output = false results in a hex string only (0-9, a-f/A-F), while Base64 uses much more characters (A-Z, a-z, 0-9, +, /, =) to represent values.

  8. skreutzer
    Member
    Posted 9 months ago #

    @benjib0t, it seems your code example is missing the closing " at the version attribute in '<?xml version="1.0?>'.

  9. meira
    Member
    Posted 8 months ago #

    The "Authorization:" header never reach my host. Maybe it is forbidden for security reasons.

    So, I send a "WWW-Authorization:" header, wich appear as $_SERVER['HTTP_WWW_AUTHORIZATION']. I had to change lines 208 and 212 in script "/secure-xml-rpc/includes/XMLRPCS_Profile.php" to accept this header.

  10. skreutzer
    Member
    Posted 8 months ago #

    Have you tried what I suggested here as addition to the “Installation” chapter of the readme file (adjusting httpd.conf or local .htaccess)?

  11. meira
    Member
    Posted 8 months ago #

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    in .htaccess works like a charm! THX!

  12. meira
    Member
    Posted 8 months ago #

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    in .htaccess works like a charm! THX!

  13. Eric Mann
    Member
    Plugin Author

    Posted 7 months ago #

    I would be VERY Careful using that kind of a rule. That rule is setting an environment variable with the data from the Authorization header - which is exactly the flaw Shellshock exposed with User Agent strings (some systems were setting environment variables for HTTP_USER_AGENT the same way).

  14. skreutzer
    Member
    Posted 7 months ago #

    So what's the better solution then? The plugin is quite useless if the Authorization header isn't available to PHP because of server configuration...

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Secure XML-RPC
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic