>Since the referer information comes from the remote client, that doesn't >prevent malicious destruction. Anyone with netcat or telnet could forge the >referer field. It requires a little more expertise, but not much. In September's 'Web Techniques', Lincoln Stein dicscusses the problem of using the referer header as an authentication method for CGI scripts. He suggests using MD5 to check whether a form's fields have been tampered with. I'm not sure if this would work with the wwwboard, because of the way the script is passing info in hidden fields, but it will work in other applications: Here's an abbreviated version of his suggestions: 1. Choose a secret key. 2. Decide which form fields should be untamperable. 3. Optional: put in consistency-checking hidden fields. 4. Concatenate the key, the form fields, and the consitency-checking fields. Compute the MD5 hash* and convert it to a hexadecimal string. 5. Include within the form a new hidden field containing the hash. 6. When the form is returned to your script, make sure all expected fields are present, and that expected values are present in the consistency-checking fields. Recompute the MD5 hash and compare it to the one in the form field. If they match, "you can be pretty sure that the form hasn't been tampered with." * in perl, the MD5 hash can be computed as follows: $hash = MD5 -> hexhash(MD5->hexhash ($secret) "@untamperable @consistency"); /mb
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:06 PDT