ant has asked for the wisdom of the Perl Monks concerning the following question:
Hi
I've been asked to investigate security problems with web pages
that I've been working on.
One set of pages uses the .htaccess file in the directory,
thus the user is asked for a user name and password before accessing
any web pages in that directory or sub directory. How secure
is .htaccess. Is the user name and password encrypted when
it sent to the server and how safe/good is the encryption.
The server is sitting behind the firewall, which means people outside
of the organisation cannot access/view it, which must be a good thing.
The second set of pages takes a username from a main login screen
and inserts it in to a hidden field, which I know is not hidden because
it can be seen in the source code.
This username is then passed as a variable to a new screen via
POST method, and is checked against a database. Is it possible for
for a user to access a web page with out going through the main login
screen, and inserting a username in the parameters???
Many thanks in advance.
Anthony
ps I know the Perl faq on security tips
Q41: Can people see or change the values in "hidden" form variables?
does answer part of the second problem, but I do not know,
or understand how a user can replace variables that are posted.
One set of pages uses the .htaccess file in the directory,
thus the user is asked for a user name and password before accessing
any web pages in that directory or sub directory. How secure
is .htaccess. Is the user name and password encrypted when
it sent to the server and how safe/good is the encryption.
The server is sitting behind the firewall, which means people outside
of the organisation cannot access/view it, which must be a good thing.
The second set of pages takes a username from a main login screen
and inserts it in to a hidden field, which I know is not hidden because
it can be seen in the source code.
This username is then passed as a variable to a new screen via
POST method, and is checked against a database. Is it possible for
for a user to access a web page with out going through the main login
screen, and inserting a username in the parameters???
Many thanks in advance.
Anthony
ps I know the Perl faq on security tips
Q41: Can people see or change the values in "hidden" form variables?
does answer part of the second problem, but I do not know,
or understand how a user can replace variables that are posted.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: CGI Security
by mirod (Canon) on Jun 22, 2001 at 16:46 UTC | |
by ant (Scribe) on Jun 22, 2001 at 17:41 UTC | |
by mirod (Canon) on Jun 22, 2001 at 18:23 UTC | |
by ant (Scribe) on Jun 22, 2001 at 19:34 UTC | |
Re: CGI Security
by Sifmole (Chaplain) on Jun 22, 2001 at 16:36 UTC | |
Re: CGI Security
by BigJoe (Curate) on Jun 22, 2001 at 16:40 UTC | |
(arturo) Re: CGI Security
by arturo (Vicar) on Jun 22, 2001 at 17:06 UTC | |
Re: CGI Security
by Beatnik (Parson) on Jun 22, 2001 at 20:38 UTC | |
by andyford (Curate) on Aug 01, 2006 at 20:25 UTC |
Back to
Seekers of Perl Wisdom