P
P
pixxxel2011-02-23 13:57:58
PHP
pixxxel, 2011-02-23 13:57:58

What to use as salt for md5?

cms uses automatic image preview generation.
To do this, a rule is configured in mod_rewrite, according to which a request for a non-existent image, for example image.100x100.jpg, is redirected to a script that creates a 100x100 preview of the image.jpg image.
In order to prevent an attacker from independently causing the creation of any preview, a certain token is also passed to this script, which is md5 (file name + salt).
The essence of the problem is in the choice of salt, namely:
I don’t want to ask the user to invent a salt when installing cms.
I do not want to automatically generate the salt during installation, since not everyone uses the installer, so the salt will be the same for many, which should not be allowed.
In general, I do not really want to store it somewhere.
I just want to take as salt "on the fly" some data that is unique for each copy of the script and unknown to the attacker.
For example, the last modification time of a file would be appropriate if it weren't chosen so easily.
Just the name of the domain on which the script is running would also work, but it is known to the attacker.
Well, obviously, the salt should not change over time, at least for some fairly long time
. UPD: it looks like darkslesh pointed out the right way - store the salt in the settings (as just a random number) + the domain for which it was created, and if there is a mismatch domain in settings with real domain, regenerate salt.

Answer the question

In order to leave comments, you need to log in

7 answer(s)
D
darkslesh, 2011-02-23
@darkslesh

Isn't it easier to make such a system:
1) a file is created (not in the WEB folder or in a closed folder)
2) 2 lines like xxxxxxxxx and randomstr are written to this file, where xxxxx is the server ip address or domain, and the second line is just the salt that you need
3) the script that uses this salt reads the file, then if the IP / domain does not match, then generate a file with new parameters.
This way you won't have to worry about the script running without installation.
There is also an option to somehow pervert using _SERVER["UNIQUE_ID"] which is generated with each user request.

S
Stalker_RED, 2011-02-24
@Stalker_RED

and if the domain in the settings does not match with the real domain, regenerate the salt.

and delivering a lot of fun to the person who tries to transfer it all to a new domain, or use one system on several domains at once.

D
darkslesh, 2011-02-23
@darkslesh

Or use request time. those. as soon as a person has requested a page, then take this time with an accuracy of microseconds and then use it. It would be useless to select.

K
Kir Shatrov, 2011-02-23
@RazoR_Empire

Why don't you want to generate previews once and serve them without any problems, for example, through nginx?

Y
Yan169, 2011-02-24
@Yan169

I did not understand a little, at what point will the md5 token be generated?
In the html code of the page will be
[img src="image.100x100.jpg"/]
or
[img src="image.100x100.jpg{md5(...)}"/]
?
If the first one (md5 is generated on the way from the http request to the preview script), then there is essentially no protection.
If the second one (md5 is generated at the moment of the will to use the image in any part of the site - the creation of a template, document, etc.), then what prevents the necessary preview from being generated at this moment instead of generating md5?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question