[4154] in WWW Security List Archive
Re: adduser web page
daemon@ATHENA.MIT.EDU (Steff Watkins)
Tue Jan 28 14:54:51 1997
Date: Tue, 28 Jan 1997 17:12:06 +0000 (GMT)
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
In-Reply-To: <2.2.32.19970128131225.00725428@ithaca.icbl.hw.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 28 Jan 1997, Paul Rattray wrote:
> A bit harsh David.
>
> If the original author wants to have a go at changing passwords over the
> web, then lets just point out security reasons that he should be aware of.
> It is his choice to do it or not.
>
> Personally though, I would avoid it if possible unless the network is secure
> ie IP across the building, not the country.
Hello,
I agree with this sentiment...
We should be 'enabling' each others thoughts by pointing out 'Dos and
Donts', not attacking each other for trying things out.
On the point of security, if you're using a FORM to change the password
then please remmber the following:
- In the '<form>', use <input type="password">' to prevent users from
back'ing the browser and reading each other's new passwords (like
obvious, huh??)
- In the form submission process, use a 'POST' not a PUT.. as the PUT
will leave the new password visible in the submitted URL. This is not a
problem if the browser is closed after use, but it means that old and new
passwords can be seen if you scan your access log files..
This was a problem I found with an early release of the Harvest
search/index mechanism. Don't know if its fixed now.
Obvious maybe, but someone had to say them
Steff
: Steff Watkins, General Computer-type being
: University of Bristol, Clifton, Bristol, BS8 1TH, UK
:
: RFC-822 : Steff.Watkins@bris.ac.uk
: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
: Phone: +44 177 9287869 (external) 3046 / 7869 (internal)
