httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Wood <timwo...@pacbell.net>
Subject Re: [users@httpd] do I have access to the user id used in basic authentication?
Date Fri, 06 Feb 2004 21:30:45 GMT
At 11:37 AM 02/06/04, Geoffrey wrote:


>>><input type="hidden" name="userid" value="esoteric">
>>
>>Woh.  This is terribly insecure and should only be used if you don't
>>really care what userid the cgi script sees.  The user could bypass
>>your html page and supply any userid it wants to the cgi script.
>
>The cgi script is protected by the basic auth as well.
>
>The user id is mapped to other data one to many relationship, so it's really not going
to get them much.
>
>I don't really see how it is insecure.  You can't get to that page without entering the
userid/password in the pop up.  If you do, then you already know what is going to be there.

Another hole is that if the server uses the <input>ted username to determine authorization,
one could log in as user A then POST user B's name to the CGI and run with B's privileges.
 If the inputted username is informational only, get rid of it and consult the authentication
cookie, to avoid confusion like this.


>>To make this more secure, you should protect the cgi script itself with
>>basic auth and look at the REMOTE_USER env variable inside the cgi script.
>
>The cgi script that processes the page is protected by basic auth.  All this id gets a
person is access to read only data.  None of the ids are real machine ids.
>
>Further, the data is not protected by ssl as it's not considered necessary.

The risk is that valuable data will someday be placed behind the weak/confused security mechanism.
 

TW







---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message