Re: [PHP] Can I prevent Server variables from being spoofed ?
Richard Lynch wrote: On Mon, May 23, 2005 5:40 am, Jochem Maas said: your site would make you look less like monopolistic idiots (why is it that the organisations with the most freaking money are the least capable of providing a _proper_ site...?) Because their expert friend company (the one with the most money) told them it wasn't safe unless they only used their products. its a pity that the manager at my local branch [of 'the bank'] isn't such a gullible . (give me a bigger morgage,... its safer ;-) [That was a Microsoft-bash for anybody who didn't follow it.] made me laugh :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
On Mon, May 23, 2005 5:40 am, Jochem Maas said: > your site would make you look less like monopolistic idiots (why is it > that the > organisations with the most freaking money are the least capable of > providing a > _proper_ site...?) Because their expert friend company (the one with the most money) told them it wasn't safe unless they only used their products. [That was a Microsoft-bash for anybody who didn't follow it.] -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
> > Question: do you deny access to your home because the person ringing the > bell > > is African? Or maybe because he is Muslim? Or because he/she > doesn't speak > > English? There are laws against discrimination and you shouldn't > create > > applications that deny access based on where the user comes from, what > > browser they use, or what language they speak. WellI dont really bother with the above, but I do get pissed when the jehovah witness' people come over, I promise youthe next one that comes over, Jehovah is gonna witness his/her butt being kicked! :-D Cheers, Ryan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.322 / Virus Database: 266.11.15 - Release Date: 5/22/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Can I prevent Server variables from being spoofed ?
> -Original Message- > From: Richard Lynch [mailto:[EMAIL PROTECTED] > Sent: Monday, May 23, 2005 2:13 PM > I think they're trying to stop massive bandwidth drain by peeps > direct-downloading the movie... That would be faily easy to work around. Have a md5 generated filename, use PHP to generate the file in a new window and check that a session var has been set earlier... I´m doin that on a site with (legal) mp3s -- Med venlig hilsen / best regards ComX Networks A/S Kim Madsen Systemudvikler/Systemdeveloper -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
Andy Pieters wrote: On Friday 20 May 2005 20:46, Graham Anderson wrote: Can the server variable 'user agent' be modified/spoofed by the user? I whish people would stop implementing these kinds of things! Question: do you deny access to your home because the person ringing the bell is African? Or maybe because he is Muslim? Or because he/she doesn't speak English? There are laws against discrimination and you shouldn't create applications that deny access based on where the user comes from, what browser they use, or what language they speak. Just because someone is using a browser doesn't mean they can't play QuickTime movies. In fact, It is something that has been bothering me endlessly. I am usually forced to hack around the site to find the url of the movie, then do a wget on that url and xine the resulting file. All that for a lousy 30 sec movie! Can you at least think of only one valid reason to do the stuff you ask to do? I don't think so. good point in essence but the 'access your house' analogy is a little lame denying/allowing access to my house is my perogative... legally I am entitled to apply a racist/prejudiced door policy on my own frontdoor - however abhorent such an idea might be to the most of us. and the same goes for a site I create - I'm entitled to grant/deny access to whomever I please, in the real world this most often translates into constraints that are placed on intranet/extranet systems whereby your userbase is known/controlled and certain functionality may require a decent browser (as opposed to the POS that is IE ;-) ... and sometimes its is completely valid and correct to deny access. having said that if you want to attract customers/users to your content then forcing them to use specific applications/tools to do something which could be handled by any number of different tools (on different OSes) is plain stupid... oh and if anyone here works at a bank, maybe not forcing users to use IE when visiting your site would make you look less like monopolistic idiots (why is it that the organisations with the most freaking money are the least capable of providing a _proper_ site...?) Welcome to Monday ;-) rgds, Jochem Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
On Mon, May 23, 2005 2:54 am, Andy Pieters said: > Can you at least think of only one valid reason to do the stuff you ask to > do? > I don't think so. I think they're trying to stop massive bandwidth drain by peeps direct-downloading the movie... Or something like that. I can understand that, as some of my largest hits these days are from image theft by bloggers using commercial blog-ware/blog-sites. * livejournal was the most egregious offender, if you care. You'd think the blog-site owners would force them to upload their own images, instead of stealing my bandwidth but I guess not. :-( I wouldn't mind at all it if they provided a link back or even just named our music venue in the text somewhere, and the bandwidth is no big deal any more, but it irks me. I must not care that much, cuz I haven't hacked the images to be... something interesting... when they are being "stolen"... Yet. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
On Friday 20 May 2005 20:46, Graham Anderson wrote: > Can the server variable 'user agent' be modified/spoofed by the user? I whish people would stop implementing these kinds of things! Question: do you deny access to your home because the person ringing the bell is African? Or maybe because he is Muslim? Or because he/she doesn't speak English? There are laws against discrimination and you shouldn't create applications that deny access based on where the user comes from, what browser they use, or what language they speak. Just because someone is using a browser doesn't mean they can't play QuickTime movies. In fact, It is something that has been bothering me endlessly. I am usually forced to hack around the site to find the url of the movie, then do a wget on that url and xine the resulting file. All that for a lousy 30 sec movie! Can you at least think of only one valid reason to do the stuff you ask to do? I don't think so. Andy -- Registered Linux User Number 379093 -- --BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C$(+++) UL>$ P-(+)>++ L+++>$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++) PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+) e>$@ h++(*) r-->++ y--()> -- ---END GEEK CODE BLOCK-- -- Check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
Graham Anderson wrote: > thanks... > I'l start exploring other options > g > On May 20, 2005, at 2:35 PM, Marek Kilimajer wrote: > >> Graham Anderson wrote: >> >>> is there another way to get reasonably accurate environment variables ? >>> In my case,if movies are being opened in a browser...deny access >> >> >> no, there is no way >> > You may be able to trick it. If your goal is to make it only work in Quicktime, or some other standalone application like that, chances are pretty good that it doesn't implement everything a full browser implements. For example, does it follow a redirect? Does it do Javascript at all? Not that someone won't be able to hack around these tricks, but you could probably come up with something that would prevent the majority of people from accessing your content directly with a browser. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
Think about it. The server can only tell what the user agent is by what the user reports. For all you know it could just be a perl script or just a terminal session reporting as being Quicktime. So yes, a script kiddie could spoof the user agent. Heck, some browsers even allow you to specify the user agent you want to report. On May 20, 2005, at 2:46 PM, Graham Anderson wrote: Can the server variable 'user agent' be modified/spoofed by the user? I have a bunch movies that I want to only open if the user agent contains Quicktime Player... In my case, if the user agent string contains Quicktime Player, a movie url is written for Quicktime to open If the user agent contains a browser, I want php to deny accessnot write the url for Quicktime to read is is possible for a script kiddie to spoof user agent server variables to fool the server ? many thanks :) g -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Brent Baisley Systems Architect Landover Associates, Inc. Search & Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
Hello Graham, Friday, May 20, 2005, 12:46:28 PM, you wrote: G> Can the server variable 'user agent' be modified/spoofed by the G> user? Oh yeah Firefox and Opera are easy to change. -- Leif (TB lists moderator and fellow end user). Using The Bat! 3.5 Return RC9 under Windows XP 5.1 Build 2600 Service Pack 2 on a Pentium 4 2GHz with 512MB -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
is there another way to get reasonably accurate environment variables ? In my case,if movies are being opened in a browser...deny access g On May 20, 2005, at 12:35 PM, James E Hicks III wrote: Graham Anderson wrote: Can the server variable 'user agent' be modified/spoofed by the user? is is possible for a script kiddie to spoof user agent server variables to fool the server ? Yes. Most good browsers will allow you to do this. James -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
Graham Anderson wrote: Can the server variable 'user agent' be modified/spoofed by the user? Yes, this value is being sent by the client. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
are there any php methods that can accurately determine who the client is ? mine is pretty basic...if I am a browser, then deny access g On May 20, 2005, at 1:15 PM, Chris Shiflett wrote: Graham Anderson wrote: Can the server variable 'user agent' be modified/spoofed by the user? Yes, this value is being sent by the client. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
Not only can the user agent string be easly spoofed, but as a result of its abuse by certain webmasters(mostly Banks) Browsers such as Opera, and I believe Konqueror, have a setting that allows you to change the user agent string as a configuration option. The UserAgent is a hint. It is most definatly not a gurantee. On 5/20/05, Graham Anderson <[EMAIL PROTECTED]> wrote: > Can the server variable 'user agent' be modified/spoofed by the user? > > I have a bunch movies that I want to only open if the user agent > contains Quicktime Player... > In my case, if the user agent string contains Quicktime Player, a movie > url is written for Quicktime to open > If the user agent contains a browser, I want php to deny accessnot > write the url for Quicktime to read > > is is possible for a script kiddie to spoof user agent server variables > to fool the server ? > > > many thanks :) > > g > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can I prevent Server variables from being spoofed ?
Graham Anderson wrote: > Can the server variable 'user agent' be modified/spoofed by the user? > > I have a bunch movies that I want to only open if the user agent > contains Quicktime Player... > In my case, if the user agent string contains Quicktime Player, a movie > url is written for Quicktime to open > If the user agent contains a browser, I want php to deny accessnot > write the url for Quicktime to read > > is is possible for a script kiddie to spoof user agent server variables > to fool the server ? Of course. Some browsers, like Opera, even have a preferences thing where you can type in whatever user agent string you want. But even without that it is a trivial thing to spoof. Anything that comes across the wire to you can be spoofed. This includes the Host: header, the Referer: header, the User-Agent, cookies, whatever. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php