Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Referer (was Patches for wwwboard.pl)

From: lstein () cshl org (Lincoln Stein)
Date: Fri, 9 Oct 1998 16:46:07 -0400

Michael Blythe writes:

In September's 'Web Techniques', Lincoln Stein dicscusses the problem of
using the referer header as an authentication method for CGI scripts. He
suggests using MD5 to check whether a form's fields have been tampered
with. I'm not sure if this would work with the wwwboard, because of the way
the script is passing info in hidden fields, but it will work in other
applications:
 [...]
* in perl, the MD5 hash can be computed as follows:
$hash = MD5 -> hexhash(MD5->hexhash ($secret) "@untamperable @consistency");


Even though I wrote this, it turns out that this isn't the best way to
compute a message authentication code (MAC).  A more secure technique
is this:

 $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable @consistency"))

I explain the problems with the original scheme in the October issue
of Web Techniques.

Lincoln

--
========================================================================
Lincoln D. Stein                           Cold Spring Harbor Laboratory
lstein () cshl org                                   Cold Spring Harbor, NY
========================================================================
Previous By Date Next
Previous By Thread Next

Current thread: