[4641] in WWW Security List Archive
Re: changing passwords
daemon@ATHENA.MIT.EDU (Ammon)
Mon Mar 3 22:44:55 1997
Date: Mon, 03 Mar 1997 19:13:50 -0600
To: www-security@ns2.rutgers.edu
From: Ammon <ammon@ikx.org>
In-Reply-To: <199703030104.CAB00164@alpha2.zigzag.pl>
Errors-To: owner-www-security@ns2.rutgers.edu
>Being an administrator for an ISP I've always had many clients
>requesting some Web interface for changing passwords. I guess with
>
>Does anybody have any idea how it could be done?
Well...this may or may not work, but here is what I am thinking: Write a
program that connects to a port on your computer (CGI prog). On this port
could be another program listening that allows users to enter in their
password. Write up a cgi program/form to send information to this port, and
you're all set. One thing you may want to do first: encrypt the string
(even if it's 'encrypted' in uuencode) before you pass it to the server, so
that anyone sniffing can't take a look at it. Make sure you make the cgi
prog and the port listener bug-free, because if I were to go after your
server, then one of the first things that I would do would be to see if
there are any bugs in that program (such as telling someone that a user
name does or does not exist, that the entered in the wrong password first,
etc.). Also, make sure you log accesses to that program on the port (and
the web accesses to the page) to make sure that there is not suspicious
activity going on. As an added measure of security (though this can be
sucremvated --sorry, bad speller-- if the attacker has the right tools),
check the IP address of the person accessing the web page/program to make
sure they are on your ISP. All of these things will deter anyone but the
most absolutely determined attackers.
I had a similar thing like this, where I had a program to set up user's
passwords through htpasswd. Well....that's how i'd probally do it, at least :)
____ _ _ _ _ ____ __ _
|--| o |\/| o |\/| o [__] o | \|
a m m o n @ i k x . o r g
i k x . o r g / ~ a m m o n
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
"Everyone has a talent. What is rare is the courage to
follow that talent to the dark place where it leads."
"A riot is the language of the unheard."
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
___ __ __ __ __ __
| |__) _) /__ / \ / \ take back alt.2600
| |__) /__ \__) \__/ \__/ http://tb2600.home.ml.org
