httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael H. Voase" <mvo...@midcoast.com.au>
Subject Re: Passing passwords to CGI
Date Thu, 05 Aug 1999 12:29:47 GMT
Graham Leggett wrote:
> 
> Dirk-Willem van Gulik wrote:
> 
> > I fear that by the time you allow something spawned from apache to get at
> > the password, be it by and env() variable, or on the STDIN, in either case
> > you have already a hole so big that you _have_ to trust esentially all
> > users which can enter commands.
> 
> I agree that there are security issues, but the problem is that because
> there is no way of getting passwords out of Apache safely, CGIs must
> resort to cookies (which are passed via the environment), or tacked onto
> the URI (which are passed in the environment) to solve the problem -
> both of which are unsafe techniques.
> 
> This doesn't however remove the need for some CGIs in some installations
> from knowing the password. It should be ensure that it's possible for a
> CGI to get the password where it should, but it should be impossible for
> a password to be retrieved by either a rogue CGI or a normal user on the
> box.
> 
> The lack of a password passing mechanism also introduces a greater
> security risk, because it means I must bind to my LDAP or other database
> with "system" priveledges built into the CGI, which could be compromised
> in the case of a system bug, or a user read access to the CGI.
> 
> > I just think that the problem it is not worth such a hacky trick; a normal
> > directive is about as far as I would go.
> 
> The suggestion that extra "private" information be included after the
> POST data seems to sound quite good. This information would only be sent
> to CGIs or CGI directories specifically defined in the httpd.conf file,
> which is under administrator control anyway.
> 
> By default, the behavior would be switched off, so default and existing
> systems would not be compromised by the new addition. It could be
> enabled only via a directive actively put there by an admin who would be
> warned in the docs and config file about the consequences of what they
> were doing.
> 
> Regards,
> Graham
> --
> -----------------------------------------
> minfrin@sharp.fm                "There's a moon
>                                         over Bourbon Street
>                                                 tonight...

Ok I do have something to say on this topic. If you want to 
pass sensitive information to a cgi script, then have a 
close look at cgisock. Although its original intention was to
accelerate cgi processing, an unintentional offshoot was that
it closes the security hole that occurs with cgi scripts. I
will say before you venture down the cgisock path that you will
be creating a new _server_ not just a script. However in spite
of this, cgisock does close the SECURITY_HOLE_PASS issue since
no environment variables are exposed to the outside world.

Cheers Mik.

-- 
----------------------------------------------------------------------------
 /~\     /~\            CASTLE INDUSTRIES PTY. LTD.
 | |_____| |            Incorporated 1969. in N.S.W., Australia
 |         |            Phone +612 6567 1227 Fax +612 6567 1449
 |   /~\   |            Web http://www.midcoast.com.au/~mvoase
 |   [ ]   |            Michael H. Voase.  Director.
~~~~~~~~~~~~~~          Castle Industries - Industrial Strength
Solutions.
----------------------------------------------------------------------------

Mime
View raw message