httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoffrey <esote...@3times25.net>
Subject Re: [users@httpd] do I have access to the user id used in basic authentication?
Date Fri, 06 Feb 2004 19:37:18 GMT
Joshua Slive wrote:
> On Fri, 6 Feb 2004, Geoffrey wrote:
> 
>>The initial page is static html, but it's a form that's processed by
>>perl.  Here's my solution using server side includes, since I wanted to
>>be able to pass the value as an input to the cgi:
>>
>><input type="hidden" name="userid"
>>value="<!--#echo var="REMOTE_USER"-->">
>>
>>I wrapped it to fit the email, but in the code, it was all on one line.
>>
>>Which produces the following in the html nicely:
>>
>><input type="hidden" name="userid" value="esoteric">
> 
> 
> Woh.  This is terribly insecure and should only be used if you don't
> really care what userid the cgi script sees.  The user could bypass
> your html page and supply any userid it wants to the cgi script.

The cgi script is protected by the basic auth as well.

The user id is mapped to other data one to many relationship, so it's 
really not going to get them much.

I don't really see how it is insecure.  You can't get to that page 
without entering the userid/password in the pop up.  If you do, then you 
already know what is going to be there.

> 
> To make this more secure, you should protect the cgi script itself with
> basic auth and look at the REMOTE_USER env variable inside the cgi script.

The cgi script that processes the page is protected by basic auth.  All 
this id gets a person is access to read only data.  None of the ids are 
real machine ids.

Further, the data is not protected by ssl as it's not considered necessary.

> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 


-- 
Until later, Geoffrey                     Registered Linux User #108567
Building secure systems inspite of Microsoft


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message