[4138] in WWW Security List Archive
Re: adduser web page
daemon@ATHENA.MIT.EDU (Dave Kinchlea)
Mon Jan 27 14:25:52 1997
Date: Mon, 27 Jan 1997 09:31:42 -0800 (PST)
From: Dave Kinchlea <security@kinch.ark.com>
To: nella@asis.com
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199701270544.VAA12823@asis.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Sure it can be done, is done in fact probably 100 times over. The issues
wrt security are:
1) cleartext passwords over the net, this is no different than a
telnet session
2) Web spoofing and trojan horses, as your intended users are
expecting to be putting in their password it wouldn't be tough to
convince them. This makes a spoofed page and/or DNS hijacked page easier
to pass off as the real thing
3) browser cacheing, the passwords will remain in many browsers
disk and memory cache as not all honour the nocache pragma
Those three are present regardless of how you write the script, you do
of course have to ensure that you take care about authentication of the
incomming user (the previous password may be enough), buffer overruns
(easy in this case, there are almost always limits to password lengths,
simply use the appropriate strncpy), password database locking (just
make sure you are using the same method as all other password
database change routines).
As to code, well if you really can't find any other I will see about
tracking down one the ones I have seen but I don't have any with me at
this time.
Hope this helps
On Sun, 26 Jan 1997 nella@asis.com wrote:
> Is there any reason why it would not be possible to securely allow users to
> change their passwords via a web page and cgi script? Does anyone know if
> such a script already exists?
>
> Nella
>
>
