[thesite] how ueue works
Martin
martin at members.evolt.org
Thu Oct 18 13:50:13 CDT 2001
Daniel J. Cody wrote on 18/10/01 7:19 pm
>IF:
>
>MD5($ueue.evolt.org.cookie.USERID*SUPERSECRETPASSWORD) =
>$ueue.evolt.org.cookie.USERID_HASH
>
>THEN:
>
>set members.evolt.org.session.userid = ueue.evolt.org.cookie.userid
> & location = members.evolt.org/index.cfm
OK, say J R Hacker's got a meo account & you visit his
site.
His site reads and reports your cookies as
userid = 5
userid_hash = 3cc076a28ccb2505ea525aca65e1185b
When JR visits his SuperSexySecretUEUESet page, he picks
which user ID to have today, and it sets those same cookies
to his browser.
JR then visits (say) aeo and wreaks havoc.
How do we stop that?
>the first cookie is in plain text. the second one is a once in a
>lifetime string set with the MD5 protocol. it takes my userid and sends
>it through an algorithm using a couple variables like so:
>
>userid_hash = MD5(userid.SUPERSECRETPASSWORD) and gets
>3cc076a28ccb2505ea525aca65e1185b as a result. therefore,
>userid_hash = 3cc076a28ccb2505ea525aca65e1185b
Isn't the User ID is pretty open - for example,
Matt's user page is
http://www.evolt.org/user/mwarden/65/index.html
Isaac's is
http://www.evolt.org/user/isaac/79/index.html
Both security credentials out in the open.
Would it be better to hash the password?
btw, you're right - MD5 is *super* cool.
Cheers
Martin
_______________________________________________
email: martin at easyweb.co.uk PGP ID: 0xA835CCCB
martin at members.evolt.org snailmail: 30 Shandon Place
tel: +44 (0)774 063 9985 Edinburgh,
url: http://www.easyweb.co.uk Scotland
More information about the thesite
mailing list