Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Referer (was Patches for wwwboard.pl)

Re: Referer (was Patches for wwwboard.pl)

Adam Shostack (adamTWOFISH.NETECT.COM)
Sat, 10 Oct 1998 15:31:35 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Spikeman: "MacAttack"
Previous message: Adrian Voinea: "Last (hopefully) update on GroupWise"
In reply to: Michael Blythe: "Referer (was Patches for wwwboard.pl)"
Next in thread: Lincoln Stein: "Referer (was Patches for wwwboard.pl)"

        Licoln's suggestion is very good, but can be improved by using
the hmac construction rather than md5(key, data).  The hmac function
is documented in http://www-cse.ucsd.edu/users/mihir/papers/hmac.html,
or rfc2014.

        An elegant proof of this is too large to fit in this note.

Adam


On Fri, Oct 09, 1998 at 07:45:38AM -0800, Michael Blythe wrote:
> >Since the referer information comes from the remote client, that doesn't
> >prevent malicious destruction.  Anyone with netcat or telnet could forge the
> >referer field. It requires a little more expertise, but not much.
>
> In September's 'Web Techniques', Lincoln Stein dicscusses the problem of
> using the referer header as an authentication method for CGI scripts. He
> suggests using MD5 to check whether a form's fields have been tampered
> with. I'm not sure if this would work with the wwwboard, because of the way
> the script is passing info in hidden fields, but it will work in other
> applications:
>
> Here's an abbreviated version of his suggestions:
>
> 1. Choose a secret key.
> 2. Decide which form fields should be untamperable.
> 3. Optional: put in consistency-checking hidden fields.
> 4. Concatenate the key, the form fields, and the consitency-checking fields.
>    Compute the MD5 hash* and convert it to a hexadecimal string.
> 5. Include within the form a new hidden field containing the hash.
> 6. When the form is returned to your script, make sure all expected fields
> are present, and that
>    expected values are present in the consistency-checking fields.
> Recompute the MD5 hash and
>    compare it to the one in the form field. If they match, "you can be
> pretty sure that the form
>    hasn't been tampered with."
>
>
> * in perl, the MD5 hash can be computed as follows:
> $hash = MD5 -> hexhash(MD5->hexhash ($secret) "untamperable consistency");
>
> /mb

--
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume

Next message: Spikeman: "MacAttack"
Previous message: Adrian Voinea: "Last (hopefully) update on GroupWise"
In reply to: Michael Blythe: "Referer (was Patches for wwwboard.pl)"
Next in thread: Lincoln Stein: "Referer (was Patches for wwwboard.pl)"