Skip to main content
A
Anonymous
October 26, 2010
Question

Spoofing AUTH_USER or REMOTE_USER

  • October 26, 2010
  • 3 replies
  • 4810 views

We are thinking about using Windows Integrated Authentication on our IIS website for determining the user's Windows login when visiting our intranet website.

Our concern is whether its possible to spoof the CGI.AUTH_USER or CGI.REMOTE_USER variables? Ive read Jason Dean's article on spoofing CGI variables (here: http://www.12robots.com/index.cfm/2008/12/9/Spoofing-CGI-variables--Security-Series-11) and a few other articles on the subject, but haven't found anything concrete.  I have tried Jason's cfhttp call to our site but am unable to set any variables - which I think is a good thing.  Here is the code that I have tried so far for both REMOTE_USER and AUTH_USER.

<cfhttp method="post" url="index.cfm" result="myVar">
    <cfhttpparam type="url" name="method" value="test">

     <!--- the 3 lines below did not work --->

    <cfhttpparam type="header" name="REFERER" value="anotherpage.cfm">
    <cfhttpparam type="header" name="REMOTE_HOST" value="123.45.67.8">

    <cfhttpparam type="header" name="AUTH_USER" value="domain/spoofuser">

     <!--- the line below did not work --->

    <cfhttpparam type="cgi" name="AUTH_USER" value="domain/spoofuser">
     <!--- the line below did not work --->

    <cfhttpparam type="cgi" name="HTTP_AUTH_USER" value="domain/spoofuser">

    <cfhttpparam type="formfield" name="entryid" value="blah">
</cfhttp>

Is there anything, such as variables names or method of attack, that I should be doing differently?

This topic has been closed for replies.

3 replies

A
Anonymous
October 26, 2010

Thank you for the responses, this is really good information.  Much appreciated!

D
Community Expert
Dave WattsCommunity Expert
Community Expert
October 26, 2010

The only CGI variables that can be "spoofed" by the browser are those that (a) come directly from the browser, like HTTP_USER_AGENT, and (b) won't prevent the browser from receiving a response. Most of these begin with "HTTP_". Other CGI variables, like AUTH_USER, don't come from the browser, but instead come from the web server and/or CF itself.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Read this before you post:

http://forums.adobe.com/thread/607238

Dave Watts, Eidolon LLC
ilssac
ilssac
Inspiring
October 26, 2010

The first thing to note is that the AUTH_USER and REMOTE_USER have nothing to do with the Windows Integrated Authentication AKA NTLM authentication process.  They are provided by the web server AFTER the NTML authentication process has been completed.

The actual NTLM authentication process goes something like this.

Client requests resource protected by NTLM on the web server.

The web server responds to the client with a 401.1 HTTP response asking for the user.

If the client understands this, it responds with the user.

The web server responds to the client with a 401.2 HTTP response asking for the password.

The client responds with the password (or something the represents it).

If the web server can validate these creditionals, it responds with an 200 HTTP response with the requested resource.  At this point it will populate the CGI variables with values such as AUTH_USER and REMOTE_USER.

I am sure there are possible attack vectors that can allow unintended access through the NTLM protection.  There is no such thing as 100% guaranteed security.  But spoofing the AUTH_USER shouldn't matter.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices