[4489] in WWW Security List Archive
Re: Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (Anthony Cuykens)
Wed Feb 19 04:50:54 1997
Date: Wed, 19 Feb 1997 09:14:32 +0100
From: Anthony Cuykens <acuykens@ulb.ac.be>
Reply-To: acuykens@ulb.ac.be
To: Jim Harmon <jim@telecnnct.com>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Jim Harmon wrote:
>
> Hello all,
>
> I have been tasked with implementing an Intranet Browsable problem
> tracking system.
>
> The system we're using is GNATS (GNU Activity Tracking System), with a
> CGI program called WWWGNATS, a perl-based user interface.
>
> As part of the security of this system, we've built our IntraNet on a
> restricted user --say "homeboy".
>
> Whenever I try to identify a user, the $ENV resolution of $REMOTE_USER
> is "homeboy", not user "fred" or "charlie" or "alice".
>
> Without getting into login scripts for our IntraNet, is there a way for
> me to capture the user's real account name via his/her browser?
>
> We have users on UNIX, NT, and Win95 running Netscape 3.0, and several
> MACs running Netscape 3.0 or TCPConnect 2 or 4. All of them have the
> correct system aliases for the users in the mail preferences/setups.
>
> Is there a way to include or discover that information in the CGI
> Script?
>
> --
> Jim Harmon The Telephone Connection
> jim@telecnnct.com Rockville, Maryland
Jim,
I recently logged on a web page called anonymizer
(http://www.anonymizer.com) which propose to let you surf on the net
without leaving any track of your identity. To prove that they site is
usefull, they begin to show you they show you informations that they got
about you throught the connection. From a Unix platform, they where able
to get my address and the loggin name of all the people curently
connected, from a NT workstation, they only get my address.
I do not know how they do that but maybe you could go there to see what
they are able to perform, you should be able to do the same.
--------------------------------------------------------------
Anthony Cuykens
Researcher in Computer Science, Security
Free university of Brussels (ULB) Belgium
e-mail: mailto://acuykens@ulb.ac.be
url: http://www.ulb.ac.be/di/scsi/acuykens/home_page.html
phone: +32 2 650.56.01 s-mail: Boulevard du triomphe, cp 212
fax: +32 2 650.56.09 1050 Bruxelles
Belgium
-------------------------------------------------------------
Axiome d'optimalite: Quand tout le reste a echoue,
lire le mode d'emploi.
