Yes, but you can just rip the signature from someone else's site.
See third example on http://www.sargasso.net/testseal.html where I pretend to be it.ca in order to sully their good name (or whatever these protections are supposed to prevent). OpenSRS: the simplest solution to this would be to check for 'fire_url' only coming from POST variables, though this is still exploitable - the only way to make it not be would be to have a one-time password output in the form and verified in the receiving page. I guess it's a question of how much effort you're willing to put into this. I can give you a method that will be totally non-exploitable and will never require users to type anything even if they're behind a proxy, but will require scripting on the reseller's website (perhaps part of the client code?) David On Wed, 16 Oct 2002, Mark wrote: > to get it working we added a form field to the url string... ala > > >http://referrals.tucows.com/auth_res/auth_res.cgi?seal_r=91&signature=9999yoursignaturethingy99&fire_url=www.yourdomain.com > (wont work as is but works with the right values on my website) > > the secret incantation is fire_url > > so as I understand the fire_url has to match the signature or it won't > work, dunno if this breaks anything else... > referrer checking isn't great anyhow. > > > > Mark > > At 07:04 PM 10/16/2002, David wrote: > > >No browser that I know of will send a referrer to a javascript popup, so I > >have to wonder how this was ever meant to work without the user having to > >type in the domain. > > > >A better solution would be to have the javascript create the popup onclick > >(to get the correct size and window ornaments), and then "fall through" > >and let the href work as normal, with a target of the popup. This way the > >referrer will get passed. > > > >This is demonstrated here > >http://www.sargasso.net/testseal.html > > > >Perhaps the 'cut and paste' supplied by tucows could be altered to match > >the second example. > > > >David > > > > > >On Wed, 16 Oct 2002, [EMAIL PROTECTED] wrote: > > > > > Hello > > > I have question in regards to the Authorized reseller site seal. > > > I installed it today and all seem to go well until I try to use the > > verify tool included by clicking the seal > > > it goes to the database alright but asked the client to type in the > > site name with this error message is this something tempoary or will this > > continue to happen . I don't think I know any one that doesn't have a > > firewall of some sort if this is going to continue I can't leave it on > > the site it would annoy most clients > > > error from seal > > > > > > > > > Please enter the URL that you wish to verify: > > > > > > >Box to enter was here< > > > You are being prompted to enter a URL Address > > > as your firewall may prevent our system from automatically > > > determining the URL for you. > > > > > > Greg Makuch > > > Whatever Computes Ltd. > > > http://www.whatevercomputes.com > > > [EMAIL PROTECTED] > > > phone: 306-569-4174 > > > Toll-free: 1-877-291-3269 > > > >-- > >|> /+\ \| | |> > > > >David Croft > >Infotrek > > > -- |> /+\ \| | |> David Croft Infotrek
