Bugtraq mailing list archives
Re: The Dangers of Allowing Users to Post Images
From: blymn () baesystems com au (Brett Lymn)
Date: Sun, 17 Jun 2001 22:10:18 +0930 (CST)
According to Tim Nowaczyk:
My company implemented this but went one more step. They created a file that had (IP, ticket) pairs. The ticket was passed around in URLs, but wasn't valid unless it came from the specific IP. To pretend to be someone else, one would have to spoof their IP and guess the value of their (10 hour life-cycle) ticket. We did this, originally, because we wanted to support web browsers that didn't use cookies. The file was, actually, more like (IP, ticket, cookie-type-options-and-settings). It worked well for us.
You are lucky. There are two cases which will invalidate this solution: 1) A bunch of users are behind a single web proxy (such as squid) so they all appear to come from the same IP address. This means you will have multiple tickets for the same IP. 2) A bunch of users are behind a multi-parented web proxy, in which case the users will appear to come from one of a number of addresses. This leads to bizarre behaviour - the user authenticates successfully but gets kicked off later because the ticket/IP pair don't match because a different parent to the one the user authenticated on happened to handle the request. -- =============================================================================== Brett Lymn, Computer Systems Administrator, BAE SYSTEMS ===============================================================================
Current thread:
- Re: The Dangers of Allowing Users to Post Images, (continued)
- Re: The Dangers of Allowing Users to Post Images peterw (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) Peter W (Jun 19)
- Re: [BUGTRAQ] Re: never-ending Referer arguments (The Dangers of Allowing Users to Post Images) CDI (Jun 22)
- Re: The Dangers of Allowing Users to Post Images John Percival (Jun 22)
- Re: The Dangers of Allowing Users to Post Images Michal Szokolo (Jun 24)
- Re: The Dangers of Allowing Users to Post Images Travis Siegel (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Jeffrey W. Baker (Jun 25)
- Re: The Dangers of Allowing Users to Post Images Sverre H. Huseby (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Henrik Nordstrom (Jun 19)
- Re: The Dangers of Allowing Users to Post Images Brett Lymn (Jun 18)
- Re: The Dangers of Allowing Users to Post Images Marc Slemko (Jun 16)
- Re[2]: The Dangers of Allowing Users to Post Images Alexander K. Yezhov (Jun 16)
- Re: The Dangers of Allowing Users to Post Images Ryan Kennedy (Jun 16)