w*h
发帖数: 7 | 1 mm, you still have not understood the security implication of this scheme.
Let me explain how a person B can hijack another person B's account to send
unauthorized letter under new WWW interface.
new WWW apparently uses a time stamp to maintain a login session, which is
shown in the URL: Stamp=########. The Stamp, unfortunately, is Unix time()
function return value (93####, my guess, I believe is true) when a person
login.
Let's image B logins at time X, and post a letter on this BBS at time X+y | w*h
发帖数: 7 | 2 mm, you still have not understood the security implication of this scheme.
Let me explain how a person B can hijack another person B's account to send
unauthorized letter under new WWW interface.
new WWW apparently uses a time stamp to maintain a login session, which is
shown in the URL: Stamp=########. The Stamp, unfortunately, is Unix time()
function return value (93####, my guess, I believe is true) when a person
login.
Let's image B logins at time X, and post a letter on this BBS at time X+y (
y is a positive number). A & B shares same proxy so they appears to have
the same IP address to the BBS server. A finds B's post and know the time X1
the letter is posted (easily got from the post itself). Now A knows if B is
online, he must login at a not so distant time before X1.
Now if A knows something of HTTP and programming, he can start trying access
http://bbs.mit.edu/cgi-bin/BBSanc?/bbslist/day&UserName=B&Stamp=X2.
This page is the top 10 hottest topics http page, it can be anything BBS WWW
page. X2 is the Unix time stamp, starts from X1. Since B won't stay so long,
probably 10 minutes later he posts his first letter, A need only try 10 * 60
times to get a positive answer to know B's login timestamp. From that time on,
A can officially fake as B and post letters in B's name!
The BBS WWW needs a more elaborated way to control Web sessions, not on IP
or any predictable ways. |
|
