cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Spoofing AUTH_USER or REMOTE_USER

Guest
Oct 26, 2010 Oct 26, 2010

Copy link to clipboard

Copied

We are thinking about using Windows Integrated Authentication on our IIS website for determining the user's Windows login when visiting our intranet website.

Our concern is whether its possible to spoof the CGI.AUTH_USER or CGI.REMOTE_USER variables? Ive read Jason Dean's article on spoofing CGI variables (here: http://www.12robots.com/index.cfm/2008/12/9/Spoofing-CGI-variables--Security-Series-11) and a few other articles on the subject, but haven't found anything concrete.  I have tried Jason's cfhttp call to our site but am unable to set any variables - which I think is a good thing.  Here is the code that I have tried so far for both REMOTE_USER and AUTH_USER.

<cfhttp method="post" url="index.cfm" result="myVar">
    <cfhttpparam type="url" name="method" value="test">

     <!--- the 3 lines below did not work --->

    <cfhttpparam type="header" name="REFERER" value="anotherpage.cfm">
    <cfhttpparam type="header" name="REMOTE_HOST" value="123.45.67.8">

    <cfhttpparam type="header" name="AUTH_USER" value="domain/spoofuser">

     <!--- the line below did not work --->

    <cfhttpparam type="cgi" name="AUTH_USER" value="domain/spoofuser">
     <!--- the line below did not work --->

    <cfhttpparam type="cgi" name="HTTP_AUTH_USER" value="domain/spoofuser">

    <cfhttpparam type="formfield" name="entryid" value="blah">
</cfhttp>

Is there anything, such as variables names or method of attack, that I should be doing differently?

TOPICS
Advanced techniques

Views

4.6K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
ilssac
Valorous Hero ,
Oct 26, 2010 Oct 26, 2010

Copy link to clipboard

Copied

The first thing to note is that the AUTH_USER and REMOTE_USER have nothing to do with the Windows Integrated Authentication AKA NTLM authentication process.  They are provided by the web server AFTER the NTML authentication process has been completed.

The actual NTLM authentication process goes something like this.

Client requests resource protected by NTLM on the web server.

The web server responds to the client with a 401.1 HTTP response asking for the user.

If the client understands this, it responds with the user.

The web server responds to the client with a 401.2 HTTP response asking for the password.

The client responds with the password (or something the represents it).

If the web server can validate these creditionals, it responds with an 200 HTTP response with the requested resource.  At this point it will populate the CGI variables with values such as AUTH_USER and REMOTE_USER.

I am sure there are possible attack vectors that can allow unintended access through the NTLM protection.  There is no such thing as 100% guaranteed security.  But spoofing the AUTH_USER shouldn't matter.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Oct 26, 2010 Oct 26, 2010

Copy link to clipboard

Copied

The only CGI variables that can be "spoofed" by the browser are those that (a) come directly from the browser, like HTTP_USER_AGENT, and (b) won't prevent the browser from receiving a response. Most of these begin with "HTTP_". Other CGI variables, like AUTH_USER, don't come from the browser, but instead come from the web server and/or CF itself.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Read this before you post:

http://forums.adobe.com/thread/607238

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Oct 26, 2010 Oct 26, 2010

Copy link to clipboard

Copied

LATEST

Thank you for the responses, this is really good information.  Much appreciated!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices