PacketFence - BTS - PacketFence
View Issue Details
0001708PacketFencecaptive portalpublic2013-09-12 04:562013-09-12 17:22
sinusoidal 
 
normalmajoralways
closedfixed 
3.6.1 
 
0001708: SMS messages sent to incorrect person
I mentioned an issue a while back in packetfence-users regarding receiving duplicate texts or incorrect users receiving texts.
//www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg04361.html">http://www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg04361.html [//www.mail-archive.com/packetfence-users@lists.sourceforge.net/msg04361.html" target="_blank">^]

It turns out that this is due to the hashing method being used in Packetfence which is causing SMS duplicates. Please see the blurb below explaining the process and why this occurs from another mailing list member that has contacted me regarding my post. I too have followed the below and have stopped receiving duplicates. I imagine the problem will only come to the foreground in large deployments where duplicates are more likely due to the number of registrants in the database. I'm not aware yet of whether this is fixed in 4.x but I guess there is a good chance it isn't so I think it's worth me creating a bug report.


==== snip =====

A quick update for you. I dug through my log messages (since I received
a duplicate SMS today) and believe I have figured out what is happening.

In the sms_activation.pm file within Packetfence
(lib/pf/sms_activation.pm), it goes through a process when a new user
registers via SMS.

It appears that the user's phone number, mac address, current time, and
expiration time are MD5 hashed, then converted to decimal, and then the
first 4 digits are taken as the PIN. The PIN is stored in the pf MySQL
table sms_activation. There is no checking for duplicate pins when it
is placed in the database, and no method of checking of uniqueness in
the PIN.

When the PIN is returned back to the sms_activation_create_send
subroutine, the PIN is sent to the send_sms subroutine, where the user's
phone number is looked up from mysql from the PIN that is given. Since
there is no duplicate pin checking, the database returns the first valid
phone number when it finds the PIN, which can be different than the
phone number submitted. This is where the "duplicate" PIN messages are
coming from; a new registering user does not receive a SMS message, but
someone else does.

So, I'm going to be doing a few things to mitigate this. First off,
I've set my PIN expiration to be very small (1 hour instead of the
default super-large value of 31 days - top of sms_activation.pm), set
the PIN to be 6 digits instead of 4 ( sms_activation.pm
_generate_activation_code subroutine), and am cleaning out older than 1
week pins out of the database directly using the following SQL command:

DELETE FROM `sms_activation` WHERE `expiration` <= DATE_SUB( NOW( ) ,
INTERVAL 1 WEEK)

==== snip =====

So I think some uniqueness checking needs adding in to the algorithm, as well as clearing out old pins (as with a 5 digit default pin, in large deployments, you stand a good chance of using all the pins if the database isn't purged regularly).

Many thanks,
Robin.

No tags attached.
Issue History
2013-09-12 04:56sinusoidalNew Issue
2013-09-12 17:22francisNote Added: 0003444
2013-09-12 17:22francisStatusnew => closed
2013-09-12 17:22francisResolutionopen => fixed

Notes
(0003444)
francis   
2013-09-12 17:22   
This was fixed earlier this year :

https://github.com/inverse-inc/packetfence/commit/85aa055dd04fc40d4eb378765570e940a7fcfbd8 [^]