[thesite] how ueue works

Martin martin at members.evolt.org
Thu Oct 18 13:50:13 CDT 2001


Daniel J. Cody wrote on 18/10/01 7:19 pm

>IF:
>
>MD5($ueue.evolt.org.cookie.USERID*SUPERSECRETPASSWORD) = 
>$ueue.evolt.org.cookie.USERID_HASH
>
>THEN:
>
>set members.evolt.org.session.userid = ueue.evolt.org.cookie.userid
>  & location = members.evolt.org/index.cfm

OK, say J R Hacker's got a meo account & you visit his
site.

His site reads and reports your cookies as
userid = 5
userid_hash = 3cc076a28ccb2505ea525aca65e1185b

When JR visits his SuperSexySecretUEUESet page, he picks
which user ID to have today, and it sets those same cookies
to his browser.

JR then visits (say) aeo and wreaks havoc.

How do we stop that?

>the first cookie is in plain text. the second one is a once in a 
>lifetime string set with the MD5 protocol. it takes my userid and sends 
>it through an algorithm using a couple variables like so:
>
>userid_hash = MD5(userid.SUPERSECRETPASSWORD) and gets 
>3cc076a28ccb2505ea525aca65e1185b as a result. therefore,
>userid_hash = 3cc076a28ccb2505ea525aca65e1185b

Isn't the User ID is pretty open - for example,
Matt's user page is
http://www.evolt.org/user/mwarden/65/index.html
Isaac's is
http://www.evolt.org/user/isaac/79/index.html

Both security credentials out in the open.

Would it be better to hash the password?
btw, you're right - MD5 is *super* cool.

Cheers
Martin

_______________________________________________
email: martin at easyweb.co.uk             PGP ID: 0xA835CCCB
       martin at members.evolt.org      snailmail: 30 Shandon Place
  tel: +44 (0)774 063 9985                      Edinburgh,
  url: http://www.easyweb.co.uk                 Scotland





More information about the thesite mailing list