Revision [16649]
This is an old revision of ActionsWithCheckSum made by Or2U5t on 2007-05-31 10:29:06.
See Also
Proof of Concept Code
Proof of Concept Code
- Don't use this code in production yet.
Adding a checksum to limit usage
Discussion: Not only use authentication as security.Short
- Add a password/checksum (md5) to an action/function/...
- Control where (page/server/...) an action/function/... can be used.
Background
- Because every action is executed the moment we request the page, the credentials of the user requesting the page are being used to build the page (and not the user writing the page). This way of working is limiting some actions (e.g. only to the admin user) as it is to dangerous to let everyone play with it. What if we could provide something that fully works "as is" but doesn't work anymore the moment someone changes it.
- A nice example is the iframe action. By default is disabled (put in the not accessible "/intranet" directory). It's not that iframe is a dangerous html tag but rather the risk of someone else using it for a use that we wouldn't like and couldn't control...
- Wait a moment. What if we could control it? ... (Thank you GPL ;-)
Two stages
- First stage: Lock down.
- Do I have access to this action?
- Generate a checksum from a small (extra/new) script with the input of a simple web form.
- Output: Show the right code to the user.
- Second stage: (try to) Unlock
- Check the checksum. Same as before, just with one extra param: 'md5'.
- If successful, show the content
Proof of Concept
1. Lock down (save as actions/geniframe.php)
%%(php)<?phpprint $this->FormOpen(, , "POST");
print 'page:<input name="page" type="input" value="'.$this->tag.'"><br />';
print 'url:<input name="url" type="input" value="'. stripslashes(htmlentities($_REQUEST["url"])) .'"><br />';
print '<input name="submit" type="submit" value="Submit" accesskey="s">';
print $this->FormClose();
$rnd = "AStupid$tri\ngToMake!tHarde\rFor BruteForceH4cke\rs";
if (isset($_REQUEST["url"])