Hi I've been asked to investigate security problems with web pages that I've been working on.
One set of pages uses the .htaccess file in the directory,
thus the user is asked for a user name and password before accessing
any web pages in that directory or sub directory. How secure
is .htaccess. Is the user name and password encrypted when
it sent to the server and how safe/good is the encryption.
The server is sitting behind the firewall, which means people outside
of the organisation cannot access/view it, which must be a good thing.

The second set of pages takes a username from a main login screen
and inserts it in to a hidden field, which I know is not hidden because
it can be seen in the source code.
This username is then passed as a variable to a new screen via
POST method, and is checked against a database. Is it possible for
for a user to access a web page with out going through the main login
screen, and inserting a username in the parameters???
Many thanks in advance.

Anthony

ps I know the Perl faq on security tips
Q41: Can people see or change the values in "hidden" form variables?
does answer part of the second problem, but I do not know,
or understand how a user can replace variables that are posted.

In reply to CGI Security by ant

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.