httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: Passing passwords to CGI
Date Wed, 04 Aug 1999 13:43:15 GMT
Bill Jones wrote:

> > Here's a thought - how about including the capability for passwords to
> > be inserted into the POST data that a CGI reads via stdin, ie the
> > password could be read as if it was simply another option on a form.
> >
> > The name of this POST variable would be configurable so it didn't clash
> > with any existing variables in CGI.
> >
> > Is this a good idea? If so, I'll try get it to work.

> Here is why you don't want to do that:

> open (STDIN,"/usr/sbin/tcpdump -lnx -s 1024 dst port 80|");

You misunderstand me - I'm saying that the password, retrieved from
standard browser authentication, be transferred to a CGI via stdin along
with all the other POST variables.

I am well aware of the dangers of clear text passwords over the wire,
however this problem is a browser authentication issue that can be
solved using SSL, etc. The problem I am referring to is a different one
- when the webserver has got the password (clear text, SSL, whatever)
and has finished authenticating the user it throws that password away,
and no secure machanism exists to transfer this password from the
webserver (not the browser, but the webserver) to the CGI for the use of
the CGI for whatever reason.

The main security issue here seems to be making sure that passwords only
get sent to "approved" CGIs, rather than just any CGI, preventing a
person with access to the server from placing a rogue password stealing
CGI down and convincing people to hit it with their browser. This can be
fixed through config options.

-----------------------------------------		"There's a moon
					over Bourbon Street

View raw message