Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Dangers of Allowing Users to Post Images

From: blymn () baesystems com au (Brett Lymn)
Date: Sun, 17 Jun 2001 22:10:18 +0930 (CST)
According to Tim Nowaczyk:


 My company implemented this but went one more step.  They created a
 file that had (IP, ticket) pairs. The ticket was passed around in
 URLs, but wasn't valid unless it came from the specific IP.  To
 pretend to be someone else, one would have to spoof their IP and
 guess the value of their (10 hour life-cycle) ticket.  We did this,
 originally, because we wanted to support web browsers that didn't
 use cookies.  The file was, actually, more like (IP, ticket,
 cookie-type-options-and-settings).  It worked well for us.



You are lucky.  There are two cases which will invalidate this
solution:

1) A bunch of users are behind a single web proxy (such as squid) so
   they all appear to come from the same IP address.  This means you
   will have multiple tickets for the same IP.

2) A bunch of users are behind a multi-parented web proxy, in which
   case the users will appear to come from one of a number of
   addresses.  This leads to bizarre behaviour - the user
   authenticates successfully but gets kicked off later because the
   ticket/IP pair don't match because a different parent to the one
   the user authenticated on happened to handle the request.

-- 
===============================================================================
Brett Lymn, Computer Systems Administrator, BAE SYSTEMS
===============================================================================
Previous By Date Next
Previous By Thread Next

Current thread: