[thesite] My Intro and a look at a UEUE Proposal

Thu Oct 18 10:05:27 CDT 2001

you guys do realize that you can't use the cookie without validating 
them against the hash right? there are two fields for every value in the 
cookie:
USER_NAME = djc
USER_NAME_HASH = MD5(USER_NAME.ueue-server-secret-key)

where USER_NAME_HASH would end up with something like 
12039123n12klj3hsd8ui123jh12

when m.e.o gets that info, it doesn't automatically assume I'm djc(and 
the privledges that go with my userid), it runs the plain text value 
through the hash as well.

if they don't match, m.e.o knows its not me and wipes the cookie or 
sends me back to ueue.evolt.org to revalidate.

so little Joey Cracker that has a m.e.o account could set a cookie 
claiming he was djc and had a priv level of 4 and send himself to the 
main site to delete all of isaac's articles. fuck, he could even create 
a cookie with values like

USER_NAME = djc
USER_NAME_HASH = MD5(USER_NAME.JOEY-secret-key)

so it looks *just like ours*. the problem is, he hashed it with a 
different secret key so when he goes to w.e.o it won't validate. better 
luck next time, insert coin, game over.

no need for new domains, moving shit, or paranoia... this is all spelled 
out pretty clearly in marks write up at 
http://members.evolt.org/mnickel/ueue.html :)

.djc.

.jeff wrote:

>>Could be avoided if we separated the meo admin stuff
>>from the meo member space
>><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
>>
> 
> it can't be avoided by simply moving meo admin stuff elsewhere.  the
> problem, as it exists right now, is that the easiest way to set a cookie
> that can be read by all sites is to set it to *.evolt.org.  that means that
> anybody with a member site can read it.  you can limit the path up the chain
> (as you chop off directories in the request) that can read the cookie by
> specifying a path, but you can't limit the path down the chain (directories
> off the domain).
> 
> so, a path of "/jeff/" and a domain of *.evolt.org would keep any site
> within evolt.org from reading the cookie, except for those cases where the
> site is trying to read it from a directory named "jeff".  this effectively
> keeps the contents of my cookie within my "user space" on m.e.o.  however, i
> can't specify a path of "/" and expect the cookie from not getting sent when
> requesting sub-directories.
> 
> that aside, the top-level pages of m.e.o (account signup, front page, etc.)
> all need to respond to the user and be able to read a cookie with that
> user's authentication.  i see no way of being able to do that without
> exposing the cookie to m.e.o accounts.