[8175] in bugtraq
Referer (was Patches for wwwboard.pl)
daemon@ATHENA.MIT.EDU (Lincoln Stein)
Mon Oct 12 16:47:08 1998
Date: Fri, 9 Oct 1998 16:46:07 -0400
Reply-To: lstein@cshl.org
From: Lincoln Stein <lstein@CSHL.ORG>
X-To: Michael Blythe <michael@CONFLUENCE-INC.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <v04011700b243d7ce7c46@[198.182.208.50]>
Michael Blythe writes:
> In September's 'Web Techniques', Lincoln Stein dicscusses the problem of
> using the referer header as an authentication method for CGI scripts. He
> suggests using MD5 to check whether a form's fields have been tampered
> with. I'm not sure if this would work with the wwwboard, because of the way
> the script is passing info in hidden fields, but it will work in other
> applications:
> [...]
> * in perl, the MD5 hash can be computed as follows:
> $hash = MD5 -> hexhash(MD5->hexhash ($secret) "@untamperable @consistency");
Even though I wrote this, it turns out that this isn't the best way to
compute a message authentication code (MAC). A more secure technique
is this:
$hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable @consistency"))
I explain the problems with the original scheme in the October issue
of Web Techniques.
Lincoln
--
========================================================================
Lincoln D. Stein Cold Spring Harbor Laboratory
lstein@cshl.org Cold Spring Harbor, NY
========================================================================
