[4497] in WWW Security List Archive
Re: Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (Brian W. Spolarich)
Wed Feb 19 11:12:20 1997
Date: Wed, 19 Feb 1997 09:12:29 -0500 (EST)
From: "Brian W. Spolarich" <briansp@ans.net>
Reply-To: "Brian W. Spolarich" <briansp@ans.net>
To: Anthony Cuykens <acuykens@ulb.ac.be>
cc: Jim Harmon <jim@telecnnct.com>, www-security@ns2.rutgers.edu
In-Reply-To: <330AB668.14DD@ulb.ac.be>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 19 Feb 1997, Anthony Cuykens wrote:
| > Whenever I try to identify a user, the $ENV resolution of $REMOTE_USER
| > is "homeboy", not user "fred" or "charlie" or "alice".
I assume you've got your HTTP server configured to authenticate users
when they connect to WWWGnats? Otherwise, $REMOTE_USER is probably either
undefined or set to whatever username the HTTP server is running as.
| I recently logged on a web page called anonymizer
| (http://www.anonymizer.com) which propose to let you surf on the net
| without leaving any track of your identity. To prove that they site is
| usefull, they begin to show you they show you informations that they got
| about you throught the connection. From a Unix platform, they where able
| to get my address and the loggin name of all the people curently
| connected, from a NT workstation, they only get my address.
|
| I do not know how they do that but maybe you could go there to see what
| they are able to perform, you should be able to do the same.
Your name is probably , and you can be reached at @thebrain.aa.ans.net.
We can access your News postings and Web pages which talk about you.
You are affiliated with ANS CO+RE Systems, Inc..
You're located around Elmsford, NY. (MAP)
Your computer is a Unix box running SunOS 5.5.1 sun4u.
Your Internet browser is Netscape.
You are coming from thebrain.aa.ans.net.
You just visited the Anonymizer Home Page.
What they're doing isn't particularly exciting or complex. Essentially,
they're running a simple CGI program that, based on your IP address, does
a few things:
1. Checking to see if identd is running, and using identd to identify
the user associated with a particular TCP session. I'm not running
identd, nor would I pass such information through my routers. They
probably couldn't convince my browser to tell them, so they're SOL.
2. They know your IP address, so they know your hostname. Big deal.
They got the email address wrong...they should guess "user@company.com"
instead of "user@host.company.com", although both will work in my case.
3. If they can figure out your username, they can make a link to
AltaVista to search for your name on the Net (aka "vanity search").
4. Lookup your IP address in the whois database to find out your
provider. They then assume that your provider is regional and that you
live near wherever your provider is based. Not valid. I live in
Michigan...ANS is a national NSP/ISP (we _were_ the Internet for years).
5. Essentially, most of what they can find out about me they're going
to get from my browser via the CGI interface they're HTTP server provides:
TZ=US/Eastern
HTTP_CONNECTION=Keep-Alive
HTTP_USER_AGENT=Mozilla/3.0Gold (X11; U; SunOS 5.5.1 sun4u)
HTTP_PRAGMA=no-cache
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
REMOTE_HOST=thebrain.aa.ans.net
REMOTE_ADDR=198.83.22.63
So they can find out my OS because Netscape builds this into the
User-Agent: header is supplies (X11 is my windowing system, I assume "U"
is for Unix, and then the version).
Blah blah...this isn't much in the way of "personal" information. And
they're "anonymizer" service is nothing more than a somewhat terse HTTP
proxy that didn't work when I tried to use it.
Considering that someone could obtain my SSN and screw up my life for a
few months pretty easily, I'm not that uncomfortable that someone knows
I'm using Solaris 2.5.1 right now. If they want to try and find me in
Elmsford, NY, godspeed.
-brian
--
Brian W. Spolarich - ANS Systems Development - briansp@ans.net - 313-677-7311
At the sight of Nothing the Soul rejoices. -- Thomas Moore
