See Also
Proof of Concept Code
  • Don't use this code in production yet.

Adding a checksum to limit usage

Discussion: Not only use authentication as security.

Short


Background


Two stages


Proof of Concept

1. Lock down (save as actions/geniframe.php)
<?php
print $this->FormOpen("", "", "POST");
print 'page:<input name="page" type="input" value="'.$this->tag.'"><br />';
print 'url:<input name="url" type="input" value="'. stripslashes(htmlentities($_REQUEST["url"])) .'"><br />';
print '<input name="submit" type="submit" value="Submit" accesskey="s">';
print $this->FormClose();

$rnd = "AStupid$tri\ngToMake!tHarde\rFor BruteForceH4cke\rs";

if (isset($_REQUEST["url"]) && $_REQUEST["url"]<>'' && $this->isAdmin())
{
        $url = stripslashes($_REQUEST["url"]);
        $page = $this->ExistsPage(stripslashes($_REQUEST["page"])) ? stripslashes($_REQUEST["page"]) : $this->tag ;

        print "<br />OLD: {{iframe url=\"$url\" height=\"480\" width=\"640\"}}<br />\n\n";

        //Generate CheckSum...
        $md5 = md5( 'iFrame'.                           //prevent reusing the md5 for another action
                $this->config["mysql_password"].        //Something you would never give away
                $page.                                  //prevent usage on another page
                $rnd.                                   //prevent usage on another server (=other rnd!)
                $url );                                 //prevent changes in the url

        print "<br />NEW: {{iframe url=\"$url\" height=\"480\" width=\"640\" md5=\"$md5\"}}<br />\n\n";
}
?>

2. Unlock (save as actions/iframe.php)
<?php
$rnd = "AStupid$tri\ngToMake!tHarde\rFor BruteForceH4cke\rs";
$width = $this->htmlspecialchars_ent(trim($vars['width']));
$height = $this->htmlspecialchars_ent(trim($vars['height']));
$url = $this->cleanUrl(trim($vars['url']));

$md5 = md5('iFrame'. $this->config["mysql_password"] . $this->tag . $rnd . $url);
print "<!-- $md5 - ".$vars['md5']." -->"; //DEBUG remove when in production

if( $md5 == $vars['md5'] )
{
        echo '<iframe width="'.$width.'" height="'.$height.'" src="'.$url.'"></iframe>';
}
else
{
        print "ERROR...";
}
?>


The change

OLD: {{iframe url="http://www.google.com/" height="480" width="640"}}
NEW: {{iframe url="http://www.google.com/" height="480" width="640" md5="7f30d953687f82ecb15f64d0606f7d3e"}}
So this action can only be included on my intranet server, on the "SandBox" page AND with "http://www.google.com/" as url...

Note


-- OnegWR

Remarks

Please feel free to contribute!




CategoryDevelopmentSecurity
There are 3 comments on this page. [Show comments]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki