[21090] in bugtraq
Re: The Dangers of Allowing Users to Post Images
daemon@ATHENA.MIT.EDU (Brett Lymn)
Tue Jun 19 02:12:42 2001
From: blymn@baesystems.com.au (Brett Lymn)
Message-Id: <200106171240.WAA05280@mallee.awadi>
To: zimage@upl.cs.wisc.edu (Tim Nowaczyk)
Date: Sun, 17 Jun 2001 22:10:18 +0930 (CST)
Cc: bugtraq@securityfocus.com
In-Reply-To: <20010615125222.B7588@upl.cs.wisc.edu> from "Tim Nowaczyk" at Jun 15, 2001 12:52:22 PM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
According to Tim Nowaczyk:
>
> My company implemented this but went one more step. They created a
> file that had (IP, ticket) pairs. The ticket was passed around in
> URLs, but wasn't valid unless it came from the specific IP. To
> pretend to be someone else, one would have to spoof their IP and
> guess the value of their (10 hour life-cycle) ticket. We did this,
> originally, because we wanted to support web browsers that didn't
> use cookies. The file was, actually, more like (IP, ticket,
> cookie-type-options-and-settings). It worked well for us.
>
You are lucky. There are two cases which will invalidate this
solution:
1) A bunch of users are behind a single web proxy (such as squid) so
they all appear to come from the same IP address. This means you
will have multiple tickets for the same IP.
2) A bunch of users are behind a multi-parented web proxy, in which
case the users will appear to come from one of a number of
addresses. This leads to bizarre behaviour - the user
authenticates successfully but gets kicked off later because the
ticket/IP pair don't match because a different parent to the one
the user authenticated on happened to handle the request.
--
===============================================================================
Brett Lymn, Computer Systems Administrator, BAE SYSTEMS
===============================================================================
