Bugtraq mailing list archives

Re: Referer (was Patches for wwwboard.pl)

From: adam () TWOFISH NETECT COM (Adam Shostack)
Date: Sat, 10 Oct 1998 15:31:35 -0400


        Licoln's suggestion is very good, but can be improved by using
the hmac construction rather than md5(key, data).  The hmac function
is documented in http://www-cse.ucsd.edu/users/mihir/papers/hmac.html,
or rfc2014.

        An elegant proof of this is too large to fit in this note.

Adam


On Fri, Oct 09, 1998 at 07:45:38AM -0800, Michael Blythe wrote:

Since the referer information comes from the remote client, that doesn't
prevent malicious destruction.  Anyone with netcat or telnet could forge the
referer field. It requires a little more expertise, but not much.


In September's 'Web Techniques', Lincoln Stein dicscusses the problem of
using the referer header as an authentication method for CGI scripts. He
suggests using MD5 to check whether a form's fields have been tampered
with. I'm not sure if this would work with the wwwboard, because of the way
the script is passing info in hidden fields, but it will work in other
applications:

Here's an abbreviated version of his suggestions:

1. Choose a secret key.
2. Decide which form fields should be untamperable.
3. Optional: put in consistency-checking hidden fields.
4. Concatenate the key, the form fields, and the consitency-checking fields.
   Compute the MD5 hash* and convert it to a hexadecimal string.
5. Include within the form a new hidden field containing the hash.
6. When the form is returned to your script, make sure all expected fields
are present, and that
   expected values are present in the consistency-checking fields.
Recompute the MD5 hash and
   compare it to the one in the form field. If they match, "you can be
pretty sure that the form
   hasn't been tampered with."


* in perl, the MD5 hash can be computed as follows:
$hash = MD5 -> hexhash(MD5->hexhash ($secret) "@untamperable @consistency");

/mb


--
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume

Current thread:

More Rconsole stuff, (continued)
- - More Rconsole stuff Chris Brenton (Oct 09)
    - Re: More Rconsole stuff Randy Richardson (Oct 12)
  - Referer (was Patches for wwwboard.pl) Michael Blythe (Oct 09)
    - MacAttack Spikeman (Oct 08)
    - Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 09)
    - Re: Referer (was Patches for wwwboard.pl) David Schwartz (Oct 12)
    - Re: Referer (was Patches for wwwboard.pl) Lincoln Stein (Oct 13)
    - Re: Referer (was Patches for wwwboard.pl) Kevin Littlejohn (Oct 13)
    - CERT Vendor-Initiated Bulletin VB-98.10 - sco.mscreen Aleph One (Oct 13)
    - FreeBSD Security Advisory: FreeBSD-SA-98:07.rst Aleph One (Oct 13)
    - Re: Referer (was Patches for wwwboard.pl) Adam Shostack (Oct 10)
    - Followup to FP98 and other Frontpage bugs pedward () WEBCOM COM (Oct 12)
    - pcnfsd ... ga (Oct 13)
    - Re: pcnfsd ... Mark Zielinski (Oct 14)
    - Re: Followup to FP98 and other Frontpage bugs Markus Stumpf (Oct 13)
    - The poisoned NUL byte Olaf Kirch (Oct 14)
    - Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Oct 12)
  - DU 4.0D cdfs bug : xcd eject CDROM, even mounted. Alexis POLOZOV (Oct 09)