Home page logo

bugtraq logo Bugtraq mailing list archives

Referer (was Patches for wwwboard.pl)
From: lstein () cshl org (Lincoln Stein)
Date: Fri, 9 Oct 1998 16:46:07 -0400

Michael Blythe writes:
In September's 'Web Techniques', Lincoln Stein dicscusses the problem of
using the referer header as an authentication method for CGI scripts. He
suggests using MD5 to check whether a form's fields have been tampered
with. I'm not sure if this would work with the wwwboard, because of the way
the script is passing info in hidden fields, but it will work in other
* in perl, the MD5 hash can be computed as follows:
$hash = MD5 -> hexhash(MD5->hexhash ($secret) "@untamperable @consistency");

Even though I wrote this, it turns out that this isn't the best way to
compute a message authentication code (MAC).  A more secure technique
is this:

 $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable @consistency"))

I explain the problems with the original scheme in the October issue
of Web Techniques.


Lincoln D. Stein                           Cold Spring Harbor Laboratory
lstein () cshl org                                   Cold Spring Harbor, NY

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]