[PHP] Netegrity's siteminder + PHP + Apache
Hello All, Does anyone of any good documentation for compiling Netegrity's Siteminder module with Apache for use in a PHP based application? Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer
[PHP] Re: [PHP-INSTALL] Re: [PHP] Netegrity's siteminder + PHP + Apache
Hello Sam, Thanks for the response. I don't have much documentation to work with. I very familiar with mod_LDAP + Apache + PHP, but new to Siteminder. I was wondering if you point me to some good resources on the web, or if you have some documentation, that would be helpful as well. Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer Regards, Saqib Ali https://downloads.seagate.com <<< Click to download latest desktop applications Sam Evans <[EMAIL PROTECTED]> No Phone Info Available 08/12/2004 06:40 AM To "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> cc [EMAIL PROTECTED], [EMAIL PROTECTED] Subject [PHP-INSTALL] Re: [PHP] Netegrity's siteminder + PHP + Apache Saqib, We have been able to get Siteminder v5.X to work on Apache 2.0.50 with PHP 5.0.0.. There really wasn't too much hassling with it, but we did have to get the Siteminder 5.X hotfix for Linux though. Let me know what kind of trouble you are running into, and I'll try to help you out. -Sam On Wed, 11 Aug 2004 15:31:42 -0700, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hello All, > > Does anyone of any good documentation for compiling Netegrity's Siteminder > module with Apache for use in a PHP based application? > > Thanks. > Saqib Ali > http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer
[PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello All, I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? Regards, Saqib Ali http://validate.sf.net <<< DocBook XML -> XHTML / PDF Convertor
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Thanks Chris, Yup I think my posting is very on-topic. The application that I am working on is written in PHP. And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Regards, Saqib Ali http://validate.sf.net <<< DocBook XML -> XHTML / PDF Convertor Chris Shiflett <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 11:17 AM Please respond to [EMAIL PROTECTED] To Jay Blanchard <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- Jay Blanchard <[EMAIL PROTECTED]> wrote: > You would have to ask the Microsoft Development Group, who > probably does not subscribe to this list. Crossposting is bad. > Being OT during a crosspost is even worse. I can hear the > falmethrowers warming up in the wings. > > FYI -> This is (or use to be) a PHP list I won't defend cross-posting, but I think CSRF is very on-topic. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Chris, I can't share the exact code ;) , but here is something very similar: http://slashdot.org/my/logout"; height="1" width="1"> If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 downloads.seagate.com Chris Shiflett <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 11:24 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: > My question: Is I.E. 6.01 SP1 doing something to foil the CSRF > attack, i.e. only allow image extensions .gif .png .jpeg? This seems highly unlikely. Can you show us the code you're using to test? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello, I m not saying the I.E. completely fixed the CSRF attacks, by only allowing .jpg .gif .png files. But it "might" be one possible way to minimize CSRF attack, just like using POST vs GET can help minimize the chances of that attack. BTW, using POST instead of GET does NOT guarantee that an CSRF attack will not work, either. Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer "Octavian Rasnita" <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 12:57 PM To <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc "Jay Blanchard" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a "image.jpg" file. Teddy Teddy - Original Message - From: "Chris Shiflett" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Jay Blanchard" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? > --- [EMAIL PROTECTED] wrote: > > And I m sure all PHP developers check their applications for > > CSRF vulnerability, in various browsers (including I.E. ). > > I speak about CSRF in many of the talks I give, and I think you'd be > surprised by how many people haven't even heard of it. > > > As a PHP/Java developer, I would be interested to know what > > I.E. is doing in their browsers to prevent CSRF attacks. I m > > not trying to start a browser war here. > > Well, to be fair, even if it is true that IE does not request a URL > referenced in an img tag unless the file extension matches a known image > type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Chris, Upon your suggestion, I used a sniffer to sniff traffic for the web app that I am working on. To my surprise, the data captured during the sniff for both browsers was exactly the same. Which mean my theory of limiting the TAG to .gif .jpeg .png is NOT true. So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Any ideas? Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer Chris Shiflett <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 11:55 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED] cc [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: > I can't share the exact code ;) , but here is something very > similar: > > http://slashdot.org/my/logout"; height="1" width="1"> > > If I load a web page with the above code, it should log me out > of slashdot. It works in Mozilla (and netscape), but not in I.E. > 6.01 SP1 The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Curt, Yes, the /. system depends on cookies to keep the user logged in. However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. Maybe Chris can correct me, if I am wrong here. Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer Curt Zirzow <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 02:40 PM To [EMAIL PROTECTED] cc Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? * Thus wrote [EMAIL PROTECTED]: > Hello Chris, > > I can't share the exact code ;) , but here is something very similar: > > http://slashdot.org/my/logout"; height="1" width="1"> > > If I load a web page with the above code, it should log me out of > slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Ed, To give some details: I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. I can't give you the exact code for attack (for security reasons), but it is similar to the following: If you insert the following HTML code in "any" web page residing at any domain, it will cause you to be logged out of /. if you previously logged in the /. system: http://slashdot.org/my/logout"; height="1" width="1"> This type of attack makes use of CSRF. Try to insert the above HTML line a web page of your choice, and then load the web page. If you are using Mozilla, it will log you off from /. However in the latest build of I.E. it doesn't work, whereas it should work. Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer "Ed Lazor" <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 02:26 PM To <[EMAIL PROTECTED]> cc Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? > -Original Message- > So now I am completely clueless as to why this particular attacks works in > Mozilla but not in IE. Could you describe the problem again and give full detail? I think we need to better model the problem in order to present a more effective solution. The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Thanks Curt, Chris and Ed, It is indeed the disabling of third-party cookies that is causing this behaviour in I.E. :) So thanks all the help :) Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer "Ed Lazor" <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 04:57 PM To <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc <[EMAIL PROTECTED]> Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? > -Original Message- > However a CSRF attack is NOT trying to access a third party cookie. > > The web browser make the same GET request whether it is using TAG > or the user clicking on a link. So in either case the cookies are in the > context of the website to which the cookies belong. I think Curt was correct actually. Hopefully the test I sent earlier can confirm or at least cross-reference this. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] OpenLDAP+MD5 Passowrds+PHP != Work?
I don't think this will work. Why do you need to MD5 the passwd if you
sending it over LDAPS:?? (LDAP over SSL)?
Thanks.
Saqib Ali
http://validate.sf.net
Steven Hildreth <[EMAIL PROTECTED]> wrote on 08/30/2004 06:33:32 PM:
> Hi, Attempting to connect to an OpenLDAP server to authenticate a
> user, just want to see if the password the user passes is the stored
> password if true. I can get the LDAP connection to connect to the
> server, but unless I switch the LDAP server to use only clear I
> continually get a 'Invalid Credentials' error (passwords dont match).
> I am using LDAP MD5 to hash passwords on the server. If I take and
> echo out the password the routine below is using and compare it to the
> password on the server they match exactly?! Even if I include "{MD5}"
> at the front it still always gives me "Invalid Credentials".
>
> Here is an example of the code I am using to check the password:
>
> function CheckPassword($username,$password){
> $dn = "uid=" . $username . ",ou=People,dc=,dc=net";
> $pw = trim(base64_encode(pack("H*",md5($password;
>
> $ldapconn = ldap_connect("ldaps:///") or die("Could
> not connect to LDAP server!");
>
> if ($ldapconn) {
> $ldapbind = ldap_bind($ldapconn,$dn,$pw);
> if ($ldapbind) {
> return true;
> }
> }
> }
>
> I am using OpenLDAP v2.1.30 and PHP 4.3.8, for what its worth I am
> using Gentoo and my make flags include "ldap".
>
> Thanks for any pointers.
>
> Regards,
> Steven
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Weblog -Blog software wrtten in PHP and My SQL
http://cafelog.com/ (PHP + mysql) a very light weight (simple and primitive) blog: http://www.xml-dev.com/blog/ Thanks. Saqib Ali https://validate.sf.net [EMAIL PROTECTED] wrote on 08/31/2004 10:28:09 AM: > Does anyone know of Blog sw available in the marketplace written in PHP and > maybe MySQL? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Dinamic generate PDF : which way ? (classes, docbook)
Hello Robert, I would suggest that if your data is such that it can use DocBook, definitely go the DocBook route. You can also use Apache's Cocoon publish your DocBook content to PDF/HTML/RTF/SVG/TXT etc. Here are some samples that use Apache Cocoon to perform dynamic conversion to PDF/HTML: http://www.xml-dev.com/blog/#88 Here are some other utilities to convert to PDF: http://www.xml-dev.com/blog/#101 This one is pretty good: http://html2pdf.seven49.net/seven49.aspx? Thanks. Saqib Ali http://validate.sf.net robert mena <[EMAIL PROTECTED]> wrote on 09/06/2004 04:56:18 AM: > Hi, > > I plan to dynamic generate some of the documents I need on a regular > basis. Sometimes they only differ by the name of the company so my > first attempt would be to generate "templates" in word and ask/replace > for the values needed. > > I am evaluating the http://www.ros.co.nz/pdf/, www.fpdf.org and php > classes that generate pdf and as another option use docbook to > convert. > > I am not sure which way is better. > > From my point of view: > a) Both classes seem to be fine but in order to generate (static) > tables and other elements I will need a lot of programming > calls/variables. So I'd have a manual and perhaps tedious/error > procedure to convert the document into the "programable-version" of > it. > > b) I do not have experience with DocBook (even tough I can code html > and latex) but I could use an editor to generate the document with > the tables, place images etc. Identify the template variables and > call docbook to generate the pdf. I'd still have to manually convert > the file but would not need a lot of calls to generate a table or even > use a php programmer. I am assuming the the tags needed are more > easly understanded than $pdf->addCell($data,width..) > > Any ideias ? > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
