[4146] in WWW Security List Archive
Re: adduser web page
daemon@ATHENA.MIT.EDU (Steve Phelps)
Tue Jan 28 06:43:25 1997
Date: Tue, 28 Jan 1997 09:27:04 +0000
To: nella@asis.com
From: Steve Phelps <steve@epic.co.uk>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 21:44 26/01/97 -0800, you wrote:
>Is there any reason why it would not be possible to securely allow users to
>change their passwords via a web page and cgi script? Does anyone know if
>such a script already exists?
>
>Nella
>
In general, even allowing users to have accounts on your web server
can be insecure; it depends on the circumstances.
The most obvious danger in the above scenario is that the cgi script
may have bugs that let users modify or create privelaged accounts.
Test thoroughly and go through the source with a fine toothed comb..
For really tight security though, don't let the users touch it!
