Bugtraq mailing list archives
Referer (was Patches for wwwboard.pl)
From: lstein () cshl org (Lincoln Stein)
Date: Fri, 9 Oct 1998 16:46:07 -0400
Michael Blythe writes:
In September's 'Web Techniques', Lincoln Stein dicscusses the problem of using the referer header as an authentication method for CGI scripts. He suggests using MD5 to check whether a form's fields have been tampered with. I'm not sure if this would work with the wwwboard, because of the way the script is passing info in hidden fields, but it will work in other applications: [...] * in perl, the MD5 hash can be computed as follows: $hash = MD5 -> hexhash(MD5->hexhash ($secret) "@untamperable @consistency");
Even though I wrote this, it turns out that this isn't the best way to compute a message authentication code (MAC). A more secure technique is this: $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable @consistency")) I explain the problems with the original scheme in the October issue of Web Techniques. Lincoln -- ======================================================================== Lincoln D. Stein Cold Spring Harbor Laboratory lstein () cshl org Cold Spring Harbor, NY ========================================================================
Current thread:
- Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability) Ken Williams (Oct 07)
- <Possible follow-ups>
- Re: Patches for wwwboard.pl (Was: Re: wwwboard.pl vulnerability) Boynton, David, SSgt, AFPOA/DPSM (Oct 08)
- More Rconsole stuff Chris Brenton (Oct 09)
- Re: More Rconsole stuff Randy Richardson (Oct 12)
- Referer (was Patches for wwwboard.pl) Michael Blythe (Oct 09)
- MacAttack Spikeman (Oct 08)
- Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 09)
- Re: Referer (was Patches for wwwboard.pl) David Schwartz (Oct 12)
- Re: Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 13)
- Re: Referer (was Patches for wwwboard.pl) Kevin Littlejohn (Oct 13)
- More Rconsole stuff Chris Brenton (Oct 09)
- CERT Vendor-Initiated Bulletin VB-98.10 - sco.mscreen Aleph One (Oct 13)
- FreeBSD Security Advisory: FreeBSD-SA-98:07.rst Aleph One (Oct 13)
- Re: Referer (was Patches for wwwboard.pl) Adam Shostack (Oct 10)
- Followup to FP98 and other Frontpage bugs pedward () WEBCOM COM (Oct 12)
- pcnfsd ... ga (Oct 13)
- Re: pcnfsd ... Mark Zielinski (Oct 14)
- Re: Followup to FP98 and other Frontpage bugs Markus Stumpf (Oct 13)