Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re: Embedding an Executable file in Perl program

by submersible_toaster (Chaplain)
on Mar 28, 2003 at 14:23 UTC ( [id://246469]=note: print w/replies, xml ) Need Help??


in reply to Embedding an Executable file in Perl program

OK, merlyn makes a point that the exe (that you want to store user/pass in) can still be reverse engineered so it still is insecure. Good point, but lets presume for the moment that an intruder has not gained shell access to your box- yet.

Without doubt there are windows exploits that permit malicious types to view the sourcecode of your script - thus hardcoding the username and password in there is a bad idea - IF the database is accessible from the web - which if it is being called solely from a CGI or such - should not be the case. The sensitive database ought to be accessible from localhost(127.0.0.1) and possibly trusted hosts on a local network. Certainly NOT from the net in general.

So lets presume now that your server has been (owned/rooted/admin'd/crackered/whatever) invaded, well then the invader has access to your script source, hence can find the executable you are getting the user/pass from, hence can run that executable to glean the user/pass. This only adds one step for the invader, and a pretty simple one at that. Reading the user/pass from a properly permissioned file might be a better way, but I suppose that if your script can have read permission on it - then any would be invader could do the same. Windows monks prepare to flame me ....now but short of changing to a platform with (cough) fewer simple and (cough) obvious exploits - you're still up the security creek in a barbed wire canoe


I can't believe it's not psellchecked
  • Comment on Re: Embedding an Executable file in Perl program

Replies are listed 'Best First'.
Re: Re: Embedding an Executable file in Perl program
by peacemaker1820 (Pilgrim) on Apr 02, 2003 at 15:21 UTC
    Thanks for a lengthful comment....

    But in any way, my users have to be able to connect to the database....so what's your most secure way to do that?
[reply]

      But in any way, my users have to be able to connect to the database.
      Do they really connect to the database, or just to a cgi application which then connects to the db? It sounds as though you're only using a 'master' user/pass to have db access from cgi. Do your users have individual db accounts? Can the CGI perform it's duties for userX if it is logged in as userX ? In that case you would be mindful of the security of your CGI session, (where user/pass is being flung around) instead of being worried about your db master password being available to an intruder.

      Seriously, if someone invades the box, this is all academic - all bets on security are off. Please describe your process more explicitly, post some code and more people may be able to assist you.


      I can't believe it's not psellchecked
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://246469]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (2)
As of 2024-04-19 19:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found