Novician has asked for the wisdom of the Perl Monks concerning the following question: (cgi programming)

Let's say I login on the browser, and click a few times here and there on the web-server to do stuff. Then, I get distracted and go to a webmail site to retrieve and read my mail without closing the current browser. One of the messages has a link to an "evil" website, having malicious scripts, etc. When I click on the link, information about which websites I had visited before, my IP, etc., will be sent to the "evil" website. Using that data it's able to do malicious stuff on the server I visited last, since I had already logged on before. The "evil" website will be able to send commands to the server as me!

So, my question is.... How do you, webmasters, solve or prevent this problem? Is there a better way than prompting the user for their login ID and password everytime they go to restricted area on the web server, or webpage?

Originally posted as a Categorized Question.

  • Comment on Login and CGI security ("open cookie jar") problem.

Replies are listed 'Best First'.
Re: Login and CGI security problem.
by httptech (Chaplain) on May 12, 2000 at 15:23 UTC
    It sounds like you're talking about the IE "open cookie jar" bug. If you're using IE, this could happen to you I suppose. It's definitely not a good thing to store usernames and passwords in cookies, but a lot of sites do it anyway.

    The way I handle this problem is by using Apache's built in authentication modules. There's no information a hostile site could get from your browser (well, I don't know, IE seems to like to save passwords).

    Anyway, the nice thing about letting Apache do the authentication step for you is that your scripts can just concentrate on the task at hand, instead of worrying about any holes you might have left in your authentication method. All you have to do is retrieve the $ENV{'REMOTE_USER'} variable and you can be pretty sure that's who you're dealing with.

[reply]
Re: Login and CGI security problem.
by Anonymous Monk on Apr 04, 2003 at 09:17 UTC
    You could also just dump the password and login id to the cookie jar, but encrypt them with a private key.
[reply]
Re: Login and CGI security problem.
by turnstep (Parson) on May 12, 2000 at 19:42 UTC
    When I click on the link, information about which websites I had visited before, my IP, etc., will be sent to the "evil" website. Using that data it's able to do malicious stuff on the server I visited last, since I had already logged on before.

    The only compromising data is the referrer, or the URL to which you had been to before. It cannot tell which "websites" you had visited before, only the previous page. Yes, your IP is known, but it is known anyway, to every site you visit, and to everyone you email. Furthermore, most (if not all) browsers only send the referring information if you click on a a link, not if the browser is invoked by an external program. So this is only an issue with web-based email readers.

    In summary, there is nothing to worry about. Just don't put information like passwords into URLs when writing scripts (a bad idea for more than the reason mentioned here) and everything will be fine. I really doubt that any major web mail services do such a thing anyway. Such holes were patched a long time ago.

    As to how to avoid them while writing scripts (which almost makes this a perl question, but not quite), just store password information on the server (best) and/or use cookies and/or use HIDDEN input tags.

[reply]
Re: Login and CGI security problem.
by chromatic (Archbishop) on May 12, 2000 at 20:51 UTC
    Another option is to use a timestamp on the server. For every action the user attempts to take, check the last timestamp for that account. If it's been more than 10 minutes, require re-authorization. Otherwise, update the timestamp to the current time and perform the action.

    Sure, there is a window of time where some tricky malicious scripting could redirect the client to do something unintended, but it's minimized somewhat here.

[reply]
Re: Login and CGI security problem.
by DarkSniper (Initiate) on Feb 17, 2003 at 12:30 UTC
    just noticed a typo in my answer. 
    my $time_algo += $s for my $s @time2..5;

    [download]
    should really be changed to: 
    my $time_algo += $_ for @time2..5;

    [download]

    Originally posted as a Categorized Answer.

[reply]
[d/l]
[select]
Re: Login and CGI security problem.
by DarkSniper (Initiate) on Feb 17, 2003 at 11:40 UTC
    i hacked a quick perlscript that generates a certain value under one hour. This is all controlled by cookies. :) 
    my @time = localtime();
my $time_algo = 0;
$time_algo = += $_ for @time[2..5];
my $salt = 'salty';
my $cipher = crypt($time_algo,$salt);

if ($cipher ne $current_cipher){
    #force to reidentify;
}

    [download]
    good luck :)
[reply]
[d/l]
A reply falls below the community's threshold of quality. You may see it by logging in.

Back to Seekers of Perl Wisdom