[3473] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (Chad Schieken)
Wed Nov 6 11:58:11 1996
To: "Saeid Parivash" <PARIVASH@cc1.unt.edu>
cc: www-security@ns2.rutgers.edu, cschieke@advsys.com
In-reply-to: Your message of "Mon, 04 Nov 1996 10:10:11 CST."
<5ACAB120976@cc1.unt.edu>
Date: Wed, 06 Nov 1996 09:44:30 -0500
From: Chad Schieken <cschieke@advsys.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Try useing the type=password HTML tag. Users can still re-submit the form, but
you knew that since the query was being sent on the network in clear text that
it was comprimesed anyway.
If you really want to be secure use SSL. That way users have to go out of
there way to cache these docs and you won't be vulnerable to other types of
attacks.
later...
chad
> Hello everyone,
>
> I have written a cgi application in C, which creates a document. The
> user is then asked to input their ID and PIN #. The user then submits
> the document (method "POST"), and gets some information back.
>
> Their is a security problem with the above CGI application. What if
> the user is in the lab, and does not close his navigator. Some one
> can come along and click on the "back button" on their browser, and
> find out the user ID and PIN #.
>
> What can i do so that the document is not cached or making the
> document expire from the cache. So if a user does click on the back
> button on their browser, it will now show the document with the ID
> and PIN #.
>
>
> Any help would be appreciated.
>
> Thanks in advance,
> Saeid.
>
> PARIVASH
>
