Kevin Graeme wrote:
BTW, as of Win2K Windows authentication is largely based on
Kerberos, with a few extensions. So if you use Integrated Windows
Security, you are using Kerberos for browser authentication already.
Interesting. Now that you mention it I do seem to recall now hearing some
Michael Dinowitz wrote:
checking amount of attempts per IP - ip can be forged
I'm not sure what you mean by this. If an HTTP request is coming from my
There's connection and reported connection IP. I remember back in the days there
was a security bug in CFHTTP where you could 'control' the IP
Kevin Graeme wrote:
This has always been a problem with the web.Not only do you not have
physical security of the device, you can not even be sure that it is the
device you are thinking it may be.
Isn't this kind of thing exactly what Kerberos was designed for?
It is one of the things that
On Friday 03 Oct 2003 03:49 am, Michael Dinowitz wrote:
You can fake the reported IP. I had mentioned this as a possible spam thing
and I've actually seen it in the wild with spam from 2 different places.
checking amount of attempts per IP - ip can be forged
You can't fake an IP and
I can pull up some posts sent to a closed list from a few
years back where there was an issue with CFHTTP. Seems that
you could forge what would show up in the CGI vars using it.
That 'feature' was yanked really fast. There's 2 different
things here. The first is the reported information
Ashenfelter
CTO/Transitionpoint
[EMAIL PROTECTED]
- Original Message -
From: Michael Dinowitz
To: CF-Talk
Sent: Thursday, October 02, 2003 5:51 PM
Subject: security flaw in web services
It looks to me like there's a problem with web services, specifically the ones
that allow logins
There's connection and reported connection IP. I remember
back in the days there was a security bug in CFHTTP where
you could 'control' the IP that was reported in the CGI vars.
That would be purely dependent on your web server, even if there were a way
to write a specific header. I don't
It's been a
while since I've muddled with Kerberos so I don't know if there's a
clean
way to handle it for a web application. I know there are clients you can
install that will handle the tickets, but I don't know what it would
take to
integrate them on the client side with the browser.
It looks to me like there's a problem with web services, specifically the ones
that allow logins. Basically, a username/password is sent to the service and it
responds with data if the person is a valid user. What stops someone from using
the web service again and again to test a un/pw until they
Isn't this, essentially, the same security weakness that would be an
issue with anything that requires a username/password?If my pair is
jim/jim1 it'll be easy to crack, but even jim/!iz+$8,9#qlww is going
to be considerably harder to muscle.
What about disabling access from account jim if I
So then what would be a foolproof way to secure them?
-Gel
-Original Message-
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
It looks to me like there's a problem with web services, specifically
the ones
that allow logins. Basically, a username/password is sent to the service
and
they're sending login information to.
-nathan strutz
-Original Message-
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 2:52 PM
To: CF-Talk
Subject: security flaw in web services
It looks to me like there's a problem with web services, specifically
Michael Dinowitz wrote:
It looks to me like there's a problem with web services, specifically the ones
that allow logins. Basically, a username/password is sent to the service and it
responds with data if the person is a valid user. What stops someone from using
the web service again and again
Nathan Strutz wrote:
Correct me if I'm wrong, but isn't this a flaw in any HTTP based login
system?
Why would HTTP be any more vulnerable as other protocols?
Jochem
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
It looks to me like there's a problem with web services,
specifically the ones that allow logins. Basically, a
username/password is sent to the service and it responds
with data if the person is a valid user. What stops
someone from using the web service again and again to test
a un/pw
Message-
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 4:52 PM
To: CF-Talk
Subject: security flaw in web services
It looks to me like there's a problem with web services, specifically the
ones
that allow logins. Basically, a username/password is sent
www.macromedia.com
-
Vancouver Island ColdFusion Users Group
Founder Director
www.cfug-vancouverisland.com
- Original Message -
From: Michael Dinowitz
To: CF-Talk
Sent: Thursday, October 02, 2003 2:51 PM
Subject: security flaw
But whats to stop anyone from trying endless user/pass combinations for
any type of login?;-)
But ssl is a must if the info is sensitve.
Stace
_
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: October 2, 2003 5:52 PM
To: CF-Talk
Subject: security flaw in web services
This has always been a problem with the web.Not only do you not have
physical security of the device, you can not even be sure that it is the
device you are thinking it may be.
Isn't this kind of thing exactly what Kerberos was designed for? It's been a
while since I've muddled with Kerberos
You can fake the reported IP. I had mentioned this as a possible spam thing and
I've actually seen it in the wild with spam from 2 different places.
checking amount of attempts per IP - ip can be forged
You can't fake an IP and expect TCP/IP to work.
Jochem
[Todays Threads]
[This
But surely that's email only - not web pages?
-Original Message-
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Friday, 3 October 2003 2:49 p.m.
To: CF-Talk
Subject: Re: security flaw in web services
You can fake the reported IP. I had mentioned this as a possible spam
checking amount of attempts per IP - ip can be forged
I'm not sure what you mean by this. If an HTTP request is coming from my
There's connection and reported connection IP. I remember back in the days there
was a security bug in CFHTTP where you could 'control' the IP that was reported
in the
- not web pages?
-Original Message-
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Friday, 3 October 2003 2:49 p.m.
To: CF-Talk
Subject: Re: security flaw in web services
You can fake the reported IP. I had mentioned this as a possible spam thing
and
I've actually seen
Message -
From: Michael Dinowitz [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 9:00 PM
Subject: Re: security flaw in web services
I can pull up some posts sent to a closed list from a few years back where
there
was an issue with CFHTTP. Seems that you could
-
From: Jim McAtee [mailto:[EMAIL PROTECTED]
Sent: Friday, 3 October 2003 2:22 PM
To: CF-Talk
Subject: Re: security flaw in web services
But what's this have to do with your login security flaw idea?Sure, client
IP
addresses are easily forged.Using this capability to crack even a simple
login
25 matches
Mail list logo