User Security

[Robert TV]

Hello all,

I'm trying to build the best possible security for my perl script. The main
page of my web site has a login and password box. When submitted, the userid
and password are compared against valid accounts, and the programs runs if
successful. I forsee a potentail security hole in the, and it has to do with
someone accessing the perl script from their own web page or server using a
false login and password form that would have the same form names as my own.
I would like my script to check the refferrer of the login submission and
take action based on that result. EG:

#!/usr/bin/perl

if (refferring web page does not eq "myserver.com/login.pl") {
print "Access Denied";
exit;
} else {
allow access to my program, and verify username and password
}

Can someone please help me out with the syntax I would need to correctly
accomplish this?

Thanx!
Randy

 

[Tintin]

Hello all,

I'm trying to build the best possible security for my perl script. The main
page of my web site has a login and password box. When submitted, the userid
and password are compared against valid accounts, and the programs runs if
successful. I forsee a potentail security hole in the, and it has to do with
someone accessing the perl script from their own web page or server using a
false login and password form that would have the same form names as my

own.

If they are using a false login, how would it be able to get in if you a
validating the userid/password?

I would like my script to check the refferrer of the login submission and
take action based on that result. EG:

#!/usr/bin/perl

if (refferring web page does not eq "myserver.com/login.pl") {
print "Access Denied";
exit;
} else {
allow access to my program, and verify username and password
}

Can someone please help me out with the syntax I would need to correctly
accomplish this?

if
($CGI_variable_that_may_or_may_not_be_valid/available_and_would_be_the_same_
in_any_other_language != "myserver.com/login.pl") {
print "Access Denied";
exit;
} else {
allow access to my program, and verify username and password
}

 

[ko]

Hello all,

I'm trying to build the best possible security for my perl script. The main
page of my web site has a login and password box. When submitted, the userid
and password are compared against valid accounts, and the programs runs if
successful. I forsee a potentail security hole in the, and it has to do with
someone accessing the perl script from their own web page or server using a
false login and password form that would have the same form names as my own.
I would like my script to check the refferrer of the login submission and
take action based on that result. EG:

#!/usr/bin/perl

if (refferring web page does not eq "myserver.com/login.pl") {
print "Access Denied";
exit;
} else {
allow access to my program, and verify username and password
}

Can someone please help me out with the syntax I would need to correctly
accomplish this?

Thanx!
Randy

If you're really concerned about eliminating security holes, you should
*never* assume any data passed by the client is good/trustworthy. For
example, the LWP module allows someone to easily manipulate client
header (including the referer) values.

HTH - keith

 

[Eric J. Roode]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm trying to build the best possible security for my perl script. The
main page of my web site has a login and password box. When submitted,
the userid and password are compared against valid accounts, and the
programs runs if successful. I forsee a potentail security hole in
the, and it has to do with someone accessing the perl script from
their own web page or server using a false login and password form
that would have the same form names as my own. I would like my script
to check the refferrer of the login submission and take action based
on that result. EG:

#!/usr/bin/perl

if (refferring web page does not eq "myserver.com/login.pl") {
print "Access Denied";
exit;
} else {
allow access to my program, and verify username and password
}

Can someone please help me out with the syntax I would need to
correctly accomplish this?

Syntax is not your problem.

"Referer" is an OPTIONAL field; user agents (eg browsers) are not
required to provide it. Also, user agents can represent it to be
anything they want. It's as reliable as politicians' campaign promises.

You could try the REMOTE_IP, but that has problems too. Nowadays, it
usually contains the address of an ISP's proxy, so everyone using that
ISP (ior at least that particular proxy) will appear to you as though
they came from the same IP. Also, with modern dynamic IP schemes, a
valid user's IP can change during a session.

You should if possible use an https page for the user login, so that
crackers cannot snoop valid UIDs and passwords from the http traffic.

What are you really trying to accomplish? If someone has a valid user ID
and password, why do you care what web page or server they're coming
from? Maybe they hate part of your interface and have written their own
way around it for their own convenience. I do this with bank and
cellphone status websites that make it a pain to check my balance (e.g.).

- --
Eric
$_ = reverse sort $ /. r , qw p ekca lre uJ reh
ts p , map $ _. $ " , qw e p h tona e and print

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBP6O1G2PeouIeTNHoEQJPAwCdEHJ7NwEv1Lu3vGzAKjnXH2n0mWsAoNLO
V6gIfWBQuC/fcnRicTq16nZC
=5kCi
-----END PGP SIGNATURE-----