New webpage
Brian K. White
brian at aljex.com
Thu Jan 26 02:17:51 PST 2006
> The page:
> http://www.fptech.com/Products/Demos/reqddemo.shtml
>
> Contains the following fPcgi related field code:
> <input type="hidden" name="Field_cmd" value="rreport emailreg -sr 1 -fp
> demonew -N">
Yegads there are simple enough ways to hide info like that from the client
pc.
At the very least encrypt that string so only the cgi script knows how to
decode it into a report command. That way you don't see actual commands and
file names, and you can't modify the command into anything that works.
Better, replace the page this field is on with a cgi so that the encryption
key can change periodically or with each request even.
My stuff encrypts things like that, and when delivering some types of
content to the pc, hides the real path the content came from by having the
cgi copy or symlink the real file to a unique random name in a dir under
htdocs, and a cron job that runs every minute removes the temp file 3
minutes after it was created.
The user can not see anything in the address bar or in "view source" but
encrypted junk, short-lived unpredictable temp file names, and the actual
content they were intended to get.
They can't modify a url or the source to get anything else, they can't learn
the layout of the server from anything they can see. And the key used to
encrypt the strings also changes every hour and is itself random, so that
you can't save a url and have it work later, and you can't crack the key by
submitting a lot of requests and saving the generated encrypted strings for
a cracker program to analyse.
There is still improvement to do. Right now everytime the key changes there
is a chance for a request to fail, so I don't want it to change much more
often than hourly. But I could probably work something out where the key
changed for each request and no requests were at risk of failing. For now, I
don't think the server or the net connection can run fast enough to service
enough requests in an hour to generate enough data for a cracker to work
with.
Brian K. White -- brian at aljex.com -- http://www.aljex.com/bkw/
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!
More information about the Filepro-list
mailing list