I was half way looking at this, but got distracted! Cheers for this. Damien
At 10:19 AM 11/06/2002 -0600, you wrote: >I know I said I wasn't going to fix this, but I did. > >No new Perl modules are needed. > >A shell script (or other command) is called to generate an image as a >separately retrieved page. The default shell script calls the "convert" >command from ImageMagick, which is readily avaliable in binary form for >most Unices, and generates a JPEG file. > >You can replace have GnuDIP call some other script if you want though, >and generate any kind of page you want. > >=== > >You can also provide an URL for "Self Registration", "Forgotten >Password" and "Delete Current User". A link to these will replace the >form button. > >=== > >This is the blurb from the install file: > >2. The parameters URL_sendURL, URL_self_signup and URL_delthisuser in >gnudip.conf specify URL-s which should take the place of the "Forgotten >Password", "Self Registration" and "Delete Current User" form buttons. >See the comments in gnudip.conf for more information. > >3. The parameters no_robots_prfx and no_robots_imgcmd in gnudip.conf >must be correctly specified in order to user the GnuDIP feature to >suppress automated abuse of "Self Registration", "Forgotten Password" >and "Change E-mail Address". See the comments in gnudip.conf. If you >have ImageMagick installed then the sample/default text image generation >script should work for you. > >Once you have ensured the defaults will work, or provided and >alternative image generation script, you can turn this option on in >"System Settings" in the web interface. > >Without this, the GnuDIP Web Interface is vulnerable to being used as >the "man in the middle" for an E-mail bombardment attack. > >A program can "GET" and "POST" the pages that send an E-mail repeatedly >to send an E-mail bombardment to a third party. The bombardment will >seem to come from the GnuDIP site. > > > > > I have added an item to the GnuDIP "To Do": > > > > http://gnudip2.sourceforge.net/gnudip-www/latest/TODO.html > > > > Here is the item: > > > > Suppress Automated Abuse of "Self Registration" and "Forgotten Password" > > ======================================================================== > > > > At present the GnuDIP Web Interface is vulnerable to being used as the > > "man in the middle" for an E-mail bombardment attack. > > > > A program can "GET" and "POST" the "Self Registration" page repeatedly > > to send an E-mail bombardment to a third party. The bombardment will > > seem to come from the GnuDIP site. > > > > The "Forgotten Password" page may be used in a similiar way to bombard > > the E-mail address that a GnuDIP user has registered with. > > > > Many popular sites are vulnerable to this same type of attack. (This > > includes a certain very popular dynamic DNS service! So I feel better > > now.) > > > > These features are optional and may be disabled. > > > > To prevent this attack, this approach could be used: > > > > 1.Generate a random string of characters before writing the page. > > > > 2.Generate an image (jpeg would be best) with this character string > > represented in it. Include this in the page. > > > > 3."Sign" the character string using the GnuDIP server key and include > > this signature in the page as a "hidden" form field. > > > > 4.Require the user to enter the character string they see in the image. > > > > 5.When the response to the page is received, sign the value entered by > > the user and compare it to the hidden form field. > > > > It would require extremely sophisticated pattern recognition software to > > automate a response to this page that GnuDIP would accept. > > > > This would of course make it difficult for people using a text-mode > > browser to use this feature. Vision impaired people would be out of > > luck. > > > >-- >Creighton MacDonnell >http://macdonnell.ca/ > >_______________________________________________________________ > >Don't miss the 2002 Sprint PCS Application Developer's Conference >August 25-28 in Las Vegas - >http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink > >-- >GnuDIP Mailing List >http://gnudip2.sourceforge.net/gnudip-www/#mailinglist _______________________________________________________________ Multimillion Dollar Computer Inventory Live Webcast Auctions Thru Aug. 2002 - http://www.cowanalexander.com/calendar -- GnuDIP Mailing List http://gnudip2.sourceforge.net/gnudip-www/#mailinglist
