[4149] in WWW Security List Archive
Re: adduser web page
daemon@ATHENA.MIT.EDU (Paul Rattray)
Tue Jan 28 10:01:24 1997
Date: Tue, 28 Jan 1997 13:12:25 +0000
To: www-security@ns2.rutgers.edu
From: Paul Rattray <Paul@icbl.hw.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
A bit harsh David.
If the original author wants to have a go at changing passwords over the
web, then lets just point out security reasons that he should be aware of.
It is his choice to do it or not.
Personally though, I would avoid it if possible unless the network is secure
ie IP across the building, not the country.
Paul
At 12:49 27/01/97 -0800, you wrote:
>
>
>On Sun, 26 Jan 1997 nella@asis.com wrote:
>
>> Is there any reason why it would not be possible to securely allow users to
>> change their passwords via a web page and cgi script? Does anyone know if
>> such a script already exists?
>
>Passwords for what??? Access to the web site? Or general system password?
>
>In general, you would NOT want to use an unsecured WWW transaction
>to change a password. Certainly NEVER for a password the user might
>use for system login access. There are other exposures since your CGI
>program would have to act with sufficient priviledges to change the
>password on behalf of the user.
>
>In summary, since you had to ask the question, you probably don't have
>easy access to the skills required to implement a secure solution and
>perform the necessary risk acessment, etc. Therefore I would conclude
>that you shouldn't do it.
>
>Dave Morris
>
>
>
