referer problems...

From: Spencer Portee - Yard Productions (spencerat_private)
Date: Sat Dec 26 1998 - 16:47:34 PST

Next message: Bill Paul: "Re: Why you should avoid world-writable directories"

Previous message: HD Moore: "Nlog 1.1b released - security holes fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I remember on bugtraq there was an issue of referer problems.  This is a
big issue for "subscription" sites that don't want shared access of an
acct, or for people  who don't want people to link a certain page.

Schema - taint the pages with an authkey of some sort that does not
require cookies.  People don't like cookies for fun reasons, but that is
not the issue in this case.

main requirement: php3/coldfusion/server-side javascript, a database
accessable to the language of choice.

1.  Have an entrace page, either the front page, or a page where you want
everyone to at least have gone through.  A request for username and
password.  Fine, now once it's found, set a request_from field, the ip
from where the request is made.  So the schema is broken down into...

site.db:username,password,ip-request

How do you force a pop up dialog to pass auth?  here's one stolen from
php3's website.

---
<?php
                    if(!isset($PHP_AUTH_USER)) {
                      Header("WWW-Authenticate: Basic realm=\"My
Realm\"");
                      Header("HTTP/1.0 401 Unauthorized");
                      echo "Text to send if user hits Cancel button\n";
                      exit;
                    } else {
                      echo "Hello $PHP_AUTH_USER.<P>";
                      echo "You entered $PHP_AUTH_PW as your
password.<P>";
                    }
                  ?>
---

Fine, now you have a frontpage.html, some place where you want people who
are about to go off onto your other pages, to go through.  If they don't,
refer them back to the front page or call them an idiot for trying to hit
that page directly.  You can finally ask for passwords. Using some sorta
sql, set the ip of the request for that username and ip.  Joy, now we know
where we are coming from.

1.1 if you don't want people to have "accounts" just generate a "next
user" (incramental, duh.. use time or something) user, random password
(maybe a hash of the random user) and ip.  once in a while, expunge users
that are no longer needed.

2. I know in apache you can have a header.html so that it processes the
lookup all the time, like it usually does, but now php3 or something else
is doing the work.  It should be faster with sql instead of flat files.
Let's not debate that.  So this header.html now will ask for password and
user, and with some OTHER sql, ask for the user, password and ip you set
earlier.  if the ip in the databse matches with the current, you are set!
Give content.

-spence
yard productions, inc.

p.s. For me, I'm using it with php3, apache and msql.

Next message: Bill Paul: "Re: Why you should avoid world-writable directories"
Previous message: HD Moore: "Nlog 1.1b released - security holes fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:26 PDT