RE: Security
- Posted by Kat <kat at kogeijin.com> Dec 01, 2002
- 456 views
On 30 Nov 2002, at 23:15, C. K. Lester wrote: > > > Yes, use a large enough number base, and a large enough number in that > > base. For instance, if i attach the hidden POST form url with > > this numeral: > > "er6yb2RTGWBD6trerBFSf6t78ERThgneRhnwwww456GWTq456BEFGqw4Y > > B9nwrfgbwr673n5yUHb35r56b7tynjtr4678EGF67678mnyuy5678" (base58) > > ,and i link it in my cgi to the ip block the customer came from, > > and other info > > their browser supplied, how many crackers will be able to guess the next > > client's numeral? > > Can you make any link on the page send the query info (in this case, the > really long ID)? You mention POST and I'm guessing that means you have to > have a form... Without POST, it's like <a href="/nextpage.html?tag="er6yb2RTGWBD6trerBFSf6t78ERThgneRhnwwww 456GWTq456BEFGqw4YB9nwrfgbwr673n5yUHb35r56b7tynjtr4678EGF67678 mnyuy5678">Next Page</a> I haven't tried this,, i'm not terribly serious about it yet. Using POST would keep it out of the url windows, but i haven't attempted anything yet that worked. I suspect it's something in *nix or Apache, because i can't get the POST vars with the cgi program on the server. Orkim's emails are bouncing. You might try a form, with everything hidden but the button itself. Kat