You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1998/02/20 03:37:31 UTC

Hidden Form Field Vulnerability (fwd)

I really think that this silly "hole" is caused by moron designers more
than anything else and that this doesn't belong in a web server, it is
just a company trying to get more publicity, and their solution is mildly
questionable anyway.

---------- Forwarded message ----------
Date: Thu, 19 Feb 1998 14:29:41 -0500
From: omar syed <os...@lerc.nasa.gov>
To: brian@organic.com
Cc: marcs@znep.com, brian@hyperreal.org, osyed@lerc.nasa.gov
Subject: Hidden Form Field Vulnerability

Hi Brian and Marc,

Miora Systems Consulting has posted to the Web some white papers 
describing vulnerabilities with using hidden form fields in Web 
pages. They also describe a solution to the problem which bascially
amounts to encrypting and decrypting the hidden form fields
so that when a user views the source of the document they cannot
make sense of the field values.

The white papers can be found at:
  http://www.miora.com/files/index.htm

Suggestion (thus the reason Im writting to you): this 
encryption/decryption capability would be a
great feature to build into the apache server.  If the 
EncryptHiddenFields option was turned on for a document (the
document could be the result of a CGI program) the server would
parse the document and encrypt the values of all hidden fields.
The server would probably also have to add a hidden field which
lists the names of the fields that were encrypted.
When the form is posted the server would decrypt only the 
encrypted fields before passing them on to the CGI program.

Im not a member of the apache developers list and don't have the
time to commit to working on this.  But I thought I would bring
this to the attention of the apache developers.  Could you please
forward this to the list.

I think this would be a very valuable capability that the
apache Web server could provide.  It could probably be added as
another module.  I think other servers will eventually provide this 
type of capability, but I would love to see apache be the first :-)

Omar Syed

Re: Hidden Form Field Vulnerability (fwd)

Posted by Michael Douglass <mi...@texas.net>.

On Thu, Feb 19, 1998 at 07:37:31PM -0700, Marc Slemko said:

I hate to say this, but anyone who wants this "in" the apache web server
is not up-to-par with the real world.  If you want this functionality
put anywhere, I would suggest in your CGI program itself.  In fact, for
the perl programmers this could be nicely packaged into the CGI perl
library for ease of use.  I just wouldn't see it being 'rightly' placed
inside the apache server.

> I really think that this silly "hole" is caused by moron designers more
> than anything else and that this doesn't belong in a web server, it is
> just a company trying to get more publicity, and their solution is mildly
> questionable anyway.

-- 
Michael Douglass
Texas Networking, Inc.

<anon> Who rebooted it?? (pause) <heh-heh-heh> I hit enter!

Re: Hidden Form Field Vulnerability (fwd)

Posted by Rodent of Unusual Size <Ke...@Golux.Com>.

Marc Slemko wrote:
> 
> I really think that this silly "hole" is caused by moron designers more
> than anything else and that this doesn't belong in a web server, it is
> just a company trying to get more publicity, and their solution is mildly
> questionable anyway.

In a word: yuck.  This entire mess is just an exercise in STO, which has
been shown (although no mathematical proofs yet AFAIK ;-) not to work.
There's also the issue of DEcrypting; when the form was submitted, how
would the server know what query-string items needed to be frobbed and
which didn't?

Let the values of the hidden fields be user-opaquified before emission;
the document content is opaque to the server (with the exception of SSIs)
anyway.

Is the exposure of hidden field values an issue?  Questionable at best.
Is this a viable solution?  Not this millenium, IMNSHO.

#ken	P-)}

Ken Coar                    <http://Web.Golux.Com/coar/>
Apache Group member         <http://www.apache.org/>
"Apache Server for Dummies" <http://WWW.Dummies.Com/

Re: Hidden Form Field Vulnerability (fwd)

Posted by Ben Laurie <be...@algroup.co.uk>.

Dirk-Willem van Gulik wrote:
> 
> Crhist!
> 
> If you are this braidead... I mean #actively# sending things
> you do not want a user to see to that user...

Exactly. I didn't bother to forward this when a customer sent it to me
last week, because it is clearly just advertising, and not very good
advertising at that.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Re: Hidden Form Field Vulnerability (fwd)

Posted by Dirk-Willem van Gulik <di...@jrc.it>.

Crhist!

If you are this braidead... I mean #actively# sending things
you do not want a user to see to that user...

	Hel !


On Thu, 19 Feb 1998, Marc Slemko wrote:

> I really think that this silly "hole" is caused by moron designers more
> than anything else and that this doesn't belong in a web server, it is
> just a company trying to get more publicity, and their solution is mildly
> questionable anyway.
> 
> ---------- Forwarded message ----------
> Date: Thu, 19 Feb 1998 14:29:41 -0500
> From: omar syed <os...@lerc.nasa.gov>
> To: brian@organic.com
> Cc: marcs@znep.com, brian@hyperreal.org, osyed@lerc.nasa.gov
> Subject: Hidden Form Field Vulnerability
> 
> Hi Brian and Marc,
> 
> Miora Systems Consulting has posted to the Web some white papers 
> describing vulnerabilities with using hidden form fields in Web 
> pages. They also describe a solution to the problem which bascially
> amounts to encrypting and decrypting the hidden form fields
> so that when a user views the source of the document they cannot
> make sense of the field values.
> 
> The white papers can be found at:
>   http://www.miora.com/files/index.htm
> 
> Suggestion (thus the reason Im writting to you): this 
> encryption/decryption capability would be a
> great feature to build into the apache server.  If the 
> EncryptHiddenFields option was turned on for a document (the
> document could be the result of a CGI program) the server would
> parse the document and encrypt the values of all hidden fields.
> The server would probably also have to add a hidden field which
> lists the names of the fields that were encrypted.
> When the form is posted the server would decrypt only the 
> encrypted fields before passing them on to the CGI program.
> 
> Im not a member of the apache developers list and don't have the
> time to commit to working on this.  But I thought I would bring
> this to the attention of the apache developers.  Could you please
> forward this to the list.
> 
> I think this would be a very valuable capability that the
> apache Web server could provide.  It could probably be added as
> another module.  I think other servers will eventually provide this 
> type of capability, but I would love to see apache be the first :-)
> 
> Omar Syed
> 
>