Re: Re: Encrypting Largish Files

"Passord" isn't an english word ;)

My co-worker told me about a program he wrote in his hacking days which tried a brute force assault on a server over http, giving a name and password from a list of first names.

Apparently a lot of people use their first name for both their username and password - so all you need is a list of popular first names....

How about hard-coded passwords - can anyone comment on the security of having an admin password written into a cgi script?

I put an admin section into a site, which is based around a single cgi script. The password for using the admin controls is held as a scalar in the cgi code, and I'm hoping thats pretty safe (because the server will always execute that script and not list it to the browser). Am I fooling myself?

willdooUK
--------------
"Home is a castle you built in my mind; I'm home anywhere, anytime."
Donny Hathaway

Comment on Re: Re: Encrypting Largish Files

Replies are listed 'Best First'.
Re: Re: Re: Encrypting Largish Files by blakem (Monsignor) on Sep 24, 2001 at 23:15 UTC
You're probably fooling youself a bit... The first stage in almost any cgi exploit is to find a way to read the source code. There are lots of ways to do this, but a classic one is to use one insecure CGI to read the source of another. I frequently get entries in my access_log that look like this: `GET http://whatever.com/cgi-bin/some.cgi?file=../cgi-bin/someother.cgi` [download] If the author of some.cgi wasn't careful, its possible that some.cgi will spit back the source to someother.cgi. -Blake	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: Re: Encrypting Largish Files
by blakem (Monsignor) on Sep 24, 2001 at 23:15 UTC

GET http://whatever.com/cgi-bin/some.cgi?file=../cgi-bin/someother.cgi
[download]

-Blake

[reply]
[d/l]