[thesite] My Intro and a look at a UEUE Proposal

.jeff jeff at members.evolt.org
Thu Oct 18 12:45:07 CDT 2001 

dan,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Daniel J. Cody
>
> you guys do realize that you can't use the cookie
> without validating them against the hash right?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

of course.  if not, what would be the point of hasing it to begin with,
right?

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> when m.e.o gets that info, it doesn't automatically
> assume I'm djc(and the privledges that go with my
> userid), it runs the plain text value through the
> hash as well.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

and double-checks that they both match as encrypted values.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> if they don't match, m.e.o knows its not me and wipes
> the cookie or sends me back to ueue.evolt.org to
> revalidate.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

sure

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> so little Joey Cracker that has a m.e.o account could
> set a cookie claiming he was djc and had a priv level
> of 4 and send himself to the main site to delete all
> of isaac's articles. fuck, he could even create a
> cookie with values like
>
> USER_NAME = djc
> USER_NAME_HASH = MD5(USER_NAME.JOEY-secret-key)
>
> so it looks *just like ours*. the problem is, he hashed
> it with a different secret key so when he goes to w.e.o
> it won't validate. better luck next time, insert coin,
> game over.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

keeping the meo account holders from *creating* cookies is fine.  however,
keeping them from reading your cookie and *copying* it is another store.
all they have to do is log all the cookie values of visitors to their site
then start down the list with those cookies values as their own until they
find one that gives them the appropriate level of access.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> no need for new domains, moving shit, or paranoia...
> this is all spelled out pretty clearly in marks write
> up at http://members.evolt.org/mnickel/ueue.html :)
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

i hate to burst your bubble, but the implications of having a member-base
with direct access to the visitors' cookies is neither addressed in mark's
writeup nor chapter 6 in the eagle book.

thanks,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/

More information about the thesite mailing list