New webpage

Brian K. White brian at aljex.com
Thu Jan 26 02:17:51 PST 2006


> The page:
> http://www.fptech.com/Products/Demos/reqddemo.shtml
>
> Contains the following fPcgi related field code:
> <input type="hidden" name="Field_cmd" value="rreport emailreg -sr 1 -fp
> demonew -N">

Yegads there are simple enough ways to hide info like that from the client 
pc.

At the very least encrypt that string so only the cgi script knows how to 
decode it into a report command. That way you don't see actual commands and 
file names, and you can't modify the command into anything that works. 
Better, replace the page this field is on with a cgi so that the encryption 
key can change periodically or with each request even.

My stuff encrypts things like that, and when delivering some types of 
content to the pc, hides the real path the content came from by having the 
cgi copy or symlink the real file to a unique random name in a dir under 
htdocs, and a cron job that runs every minute removes the temp file 3 
minutes after it was created.

The user can not see anything in the address bar or in "view source" but 
encrypted junk, short-lived unpredictable temp file names, and the actual 
content they were intended to get.
They can't modify a url or the source to get anything else, they can't learn 
the layout of the server from anything they can see. And the key used to 
encrypt the strings also changes every hour and is itself random, so that 
you can't save a url and have it work later, and you can't crack the key by 
submitting a lot of requests and saving the generated encrypted strings for 
a cracker program to analyse.

There is still improvement to do. Right now everytime the key changes there 
is a chance for a request to fail, so I don't want it to change much more 
often than hourly. But I could probably work something out where the key 
changed for each request and no requests were at risk of failing. For now, I 
don't think the server or the net connection can run fast enough to service 
enough requests in an hour to generate enough data for a cracker to work 
with.

Brian K. White  --  brian at aljex.com  --  http://www.aljex.com/bkw/
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro  BBx    Linux  SCO  FreeBSD    #callahans  Satriani  Filk!



More information about the Filepro-list mailing list