Bugtraq mailing list archives
referer problems...
From: spencer () YRD COM (Spencer Portee - Yard Productions)
Date: Sat, 26 Dec 1998 19:47:34 -0500
I remember on bugtraq there was an issue of referer problems. This is a big issue for "subscription" sites that don't want shared access of an acct, or for people who don't want people to link a certain page. Schema - taint the pages with an authkey of some sort that does not require cookies. People don't like cookies for fun reasons, but that is not the issue in this case. main requirement: php3/coldfusion/server-side javascript, a database accessable to the language of choice. 1. Have an entrace page, either the front page, or a page where you want everyone to at least have gone through. A request for username and password. Fine, now once it's found, set a request_from field, the ip from where the request is made. So the schema is broken down into... site.db:username,password,ip-request How do you force a pop up dialog to pass auth? here's one stolen from php3's website. --- <?php if(!isset($PHP_AUTH_USER)) { Header("WWW-Authenticate: Basic realm=\"My Realm\""); Header("HTTP/1.0 401 Unauthorized"); echo "Text to send if user hits Cancel button\n"; exit; } else { echo "Hello $PHP_AUTH_USER.<P>"; echo "You entered $PHP_AUTH_PW as your password.<P>"; } ?> --- Fine, now you have a frontpage.html, some place where you want people who are about to go off onto your other pages, to go through. If they don't, refer them back to the front page or call them an idiot for trying to hit that page directly. You can finally ask for passwords. Using some sorta sql, set the ip of the request for that username and ip. Joy, now we know where we are coming from. 1.1 if you don't want people to have "accounts" just generate a "next user" (incramental, duh.. use time or something) user, random password (maybe a hash of the random user) and ip. once in a while, expunge users that are no longer needed. 2. I know in apache you can have a header.html so that it processes the lookup all the time, like it usually does, but now php3 or something else is doing the work. It should be faster with sql instead of flat files. Let's not debate that. So this header.html now will ask for password and user, and with some OTHER sql, ask for the user, password and ip you set earlier. if the ip in the databse matches with the current, you are set! Give content. -spence yard productions, inc. p.s. For me, I'm using it with php3, apache and msql.
Current thread:
- Re: Why you should avoid world-writable directories Ben Laurie (Dec 22)
- Re: Why you should avoid world-writable directories Darren Reed (Dec 22)
- Re: Why you should avoid world-writable directories Rich Burroughs (Dec 22)
- Re: Why you should avoid world-writable directories Wietse Venema (Dec 22)
- <Possible follow-ups>
- Re: Why you should avoid world-writable directories Nick Maclaren (Dec 22)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Alan Cox (Dec 24)
- Administrivia Aleph One (Dec 26)
- Nlog 1.1b released - security holes fixed HD Moore (Dec 26)
- referer problems... Spencer Portee - Yard Productions (Dec 26)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)
- Re: Why you should avoid world-writable directories Robert Watson (Dec 27)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)