FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » FUDforum Suggestions » Semi-bug, slight misdesign? GET requests.
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Semi-bug, slight misdesign? GET requests. [message #14202 is a reply to message #14143] Sat, 08 November 2003 00:17 Go to previous messageGo to previous message
Xodnizel Test   United States
Messages: 7
Registered: November 2003
Karma:
Junior Member
Quote:

Where specialid is the md5sum of the session id, remote ip address, and some other unique things.


Or are you referring to something different? I don't think we're understanding each other still... I'll try giving a specific example from fudforum.

In each message, there's a link to "add to buddy list" beside the message body. Normally, in cookie sessions, the link would be something like:

http://dev.starmen.net/talk/index.php?t=buddy_list&add=204&


Now, if I were to post a message that contained:
[img]http://dev.starmen.net/talk/index.php?t=buddy_list&add=204&[/img]

Anyone who then viewed that message would have that user automatically added to his/her buddy list.

However, in my forum, the link would be like:
http://dev.starmen.net/talk/index.php?t=buddy_list&add=204&S=a1542752efcd5727b8516d13885bf643


(I used "S" because I was lazy. It isn't a session ID, or "sysid" per se, and it can't be used to gain direct access to the user's session).

That "S" key is generated by taking the MD5 sum of the real user session id, remote address, and behind-proxy address(similar to your sysid thing). Since the session ID is kept private, in a cookie, it can not be known by a third party, so the "S" key can't be duplicated by a third party. The other data(remote address, etc.) is used to make the "S" key not have such a close relationship to the session ID, though I don't know if this is totally necessary. It would probably be better to hash the session id with a random number, and regenerate that number if a user hasn't done any action for more than 12 hours.

The reason for this obfuscation is to reduce the chances that anyone will do anything successful with the "S" key if it is obtained, through posting a URL through IRC or similar, or server logs(http_referrer).

So, the passed "S" key is compared to the on-the-fly calculated "S" key in buddy_list.php. If they do not match, an error message is displayed, so that
[img]
"attack" won't work.

The "S" parameter is generally only passed and checked for URLs that do something automatically, without user confirmation. The URL to just read a message would not contain it, for example.

[Updated on: Sat, 08 November 2003 00:18]

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: XML/RSS buttons for easy syndication of forum content
Next Topic: Capture post title when going from thread-->PM create
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 20:52:33 GMT 2024

Total time taken to generate the page: 0.04333 seconds