Bugtraq mailing list archives

Re: Referer (was Patches for wwwboard.pl)

From: darius () connect com au (Kevin Littlejohn)
Date: Wed, 14 Oct 1998 13:02:48 +1000

Lincoln Stein wrote

The original article did suggest incorporating the IP address and a
timestamp in the hash function.  The main point of the article was
that using just the Referer field for security was a very bad idea.

I sure hope this thread will be killed soon!


Um - sorry ;)

One comment I wanted to make re: web security - if you're relying on
the IP number of the machine requesting the file for any sort of security,
then you'll break your web site for anyone using multiple proxies.  In .au,
this is especially a problem, as we have some fairly large hierarchies
of proxy servers - for a lot of our users, a single web 'session' can
generate requests from multiple different boxes, as different proxies
react faster for each request.

Sorry to extend the thread, but people trying to tie web security down
to originator IP number is a pet hate of mine ;/

KevinL


Lincoln

David Schwartz writes:
 >
 >      You should also be including a timestamp and an originator IP in the

hash

 > function. Otherwise you are vulnerable to interception and replay attacks.
 > If you're going to do it, you might as well do it right.
 >
 >      DS
 >
 > > Even though I wrote this, it turns out that this isn't the best way to
 > > compute a message authentication code (MAC).  A more secure technique
 > > is this:
 > >
 > >  $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
 > > @consistency"))
 > >
 > > I explain the problems with the original scheme in the October issue
 > > of Web Techniques.
 > >
 > > Lincoln
 > >
 > > --
 > > ========================================================================
 > > Lincoln D. Stein                           Cold Spring Harbor Laboratory
 > > lstein () cshl org                                   Cold Spring Harbor, NY
 > > ========================================================================
 > >
--
========================================================================
Lincoln D. Stein                           Cold Spring Harbor Laboratory
lstein () cshl org                                   Cold Spring Harbor, NY
========================================================================


--------------- qnevhf () obsu arg nh ---------------
Kevin Littlejohn,
Development Engineer, Connect.com.au
----------- Oernxf guvatf sbe n yvivat -----------

Current thread:

Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability) Ken Williams (Oct 07)
- <Possible follow-ups>
- Re: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability) Boynton, David, SSgt, AFPOA/DPSM (Oct 08)
  - More Rconsole stuff Chris Brenton (Oct 09)
    - Re: More Rconsole stuff Randy Richardson (Oct 12)
  - Referer (was Patches for wwwboard.pl) Michael Blythe (Oct 09)
    - MacAttack Spikeman (Oct 08)
    - Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 09)
    - Re: Referer (was Patches for wwwboard.pl) David Schwartz (Oct 12)
    - Re: Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 13)
    - Re: Referer (was Patches for wwwboard.pl) Kevin Littlejohn (Oct 13)
    - CERT Vendor-Initiated Bulletin VB-98.10 - sco.mscreen Aleph One (Oct 13)
    - FreeBSD Security Advisory: FreeBSD-SA-98:07.rst Aleph One (Oct 13)
    - Re: Referer (was Patches for wwwboard.pl) Adam Shostack (Oct 10)
    - Followup to FP98 and other Frontpage bugs pedward () WEBCOM COM (Oct 12)
    - pcnfsd ... ga (Oct 13)
    - Re: pcnfsd ... Mark Zielinski (Oct 14)
    - Re: Followup to FP98 and other Frontpage bugs Markus Stumpf (Oct 13)
    - The poisoned NUL byte Olaf Kirch (Oct 14)
    - Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Oct 12)
  - DU 4.0D cdfs bug : xcd eject CDROM, even mounted. Alexis POLOZOV (Oct 09)