[1205] in WWW Security List Archive
Re: cgi communication
daemon@ATHENA.MIT.EDU (William J. Fulco)
Sun Dec 3 04:25:29 1995
Date: Sat, 2 Dec 1995 22:56:40 -0800
To: Tudor Hulubei <chang!tudor@pub.ro>
From: wjf@centerfold.com (William J. Fulco)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Tudor,
>Both A and B are in the /cgi-bin directory. I don't want to let
>people call B directly. Is there any way to communicate between
>cgi scripts ? I think A should pass the password to B, B check it
>again, and so on. Is this correct ?
>Hidden variables are no-where secure...
Your best bet would be to keep the password-thingy as a entry in some kind
of local data-file that both the A and B cgi's can read/write - what is in
the "clear" in the URL (for "GET" or a hidden variable in a "POST"- is a
token/index that "points" to the temp-file or temp-entry... this token
should only be good until the B script ends... that way there's "window" of
security danger, but it's not that wide....
As far as not letting people "run" B directly, you can make the A script
create the "name" of the B script on the fly, by having B dispatched by
some kind of dispatching script that takes the "cookie" (see below) and
some hidden/internal state (to the server) to and creates the call to B...
>Do yuo think "hidden" form fields will do the job ?
>
To make it more secure, you can use the "cookie" mechanism for
Netscape/Microsoft browsers - check www.netscape.com/... (reference
documents) for how a cgi-bin or a nph-cgi type script can deal with
"cookies"... Cookies aren't foolproof, but they're "better" than
hidden-variables
>Why does netscape issue that warning ?
Because, you have the "warn when submitting a form insecurely" box checked
in the netscape preferences
>Thanks,
>Tudor
(bill)
William J. Fulco
CEO, Chief Scientist
Network XXIII Corporation
wjf@NetworkXXIII.COM
