I have added an item to the GnuDIP "To Do": http://gnudip2.sourceforge.net/gnudip-www/latest/TODO.html
Here is the item: Suppress Automated Abuse of "Self Registration" and "Forgotten Password" ======================================================================== At present the GnuDIP Web Interface is vulnerable to being used as the "man in the middle" for an E-mail bombardment attack. A program can "GET" and "POST" the "Self Registration" page repeatedly to send an E-mail bombardment to a third party. The bombardment will seem to come from the GnuDIP site. The "Forgotten Password" page may be used in a similiar way to bombard the E-mail address that a GnuDIP user has registered with. Many popular sites are vulnerable to this same type of attack. (This includes a certain very popular dynamic DNS service! So I feel better now.) These features are optional and may be disabled. To prevent this attack, this approach could be used: 1.Generate a random string of characters before writing the page. 2.Generate an image (jpeg would be best) with this character string represented in it. Include this in the page. 3."Sign" the character string using the GnuDIP server key and include this signature in the page as a "hidden" form field. 4.Require the user to enter the character string they see in the image. 5.When the response to the page is received, sign the value entered by the user and compare it to the hidden form field. It would require extremely sophisticated pattern recognition software to automate a response to this page that GnuDIP would accept. This would of course make it difficult for people using a text-mode browser to use this feature. Vision impaired people would be out of luck. === Any volunteers? To do this for use just on my own system or a client's system would not be hard for me. But to do it for the common GnuDIP code without making its installation much more complicated would be impossible. In particular non-standard Perl modules would be needed. I am not going down that road. === To some extent, GnuDIP right now is just the software that I run at my little site. I really just set up that site as a way to test the GnuDIP code, since no one volunteereed to help with this. Also, after 25 years in the software developmemt business, I have learned that it is impossible to completely design a system before going to production. You don't really know the requirements until you give it a go. And this has been a very successful test!! Also, GnuDIP has really been an intellectual excercise for me, as I am semi-retired now. My backgound is really in IBM mainframe and then later Windows/UNIX application development, and project planning (most recently MQ Series and all that "suit" crap - in fact I probably did qualify as a "suit") - not networking and web site construction. I thought this would be a good way to learn this stuff, and become familiar with working on the Internet. And indeed it was. I will leave my site up for the people using it until I see that they have lost interest in it. If I do any more work in the area of dynamic DNS sites, it will be with the idea of earning a few extra bucks to supplement my retirement income - sort of a home business. I doubt then that I will maintain a GnuDIP site as such any more. So my dynamic DNS system and GnuDIP may be about to part ways. This will clearly affect support levels. Oh well. What can you expect for free? -- Creighton MacDonnell http://macdonnell.ca/ _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm -- GnuDIP Mailing List http://gnudip2.sourceforge.net/gnudip-www/#mailinglist
