Hi,
I've made a password protection program to secure files in a directory in the CGI bin. The effect is like a standard username / password website protection system.
I was wondering if any crackers and perl hackers out there would try to test my program for exploits.
I think it's pretty secure but then again I don't know half the stuff some people do.
If you can help please message back and I'll post the link.
If not thanks anyway

Hmm... It's hard to check anything when all I know is your username on a webdevelopers forums. ;) Maybe you could supply some more info?

i would post the link if anyone was interested...
http://www.btscl.com/cgi-bin/securesite.pl

thanks in advance

ps:

username: user
passwod: pass

for reference

If you give me 5 mins I'll upload some pages so you dont get blank hits from the menu

If you want an honest critique then you should provide the full source code as well.

Bruce Schneier
If I take a letter, lock it in a safe, hide the safe somewhere in New York, and then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism--and you still can't open the safe and read the letter, that's security.

Originally posted by Jeff Mott
If you want an honest critique then you should provide the full source code as well. I agree 100%. Just because we don't find (or perhaps, don't take the time to find) all the possible exploits does not mean that they are not there, and does not mean that someone else won't find them if they are indeed trying to hack your script. When the source is made available for critique, that is when you will get a realistic look at the security of your program.

I agree.

BTW, do you have everything backed up? The problem with trying to break something is sometimes you break it before you're really trying to... ;) I'd just hate to see you lose anything(and it's always a good idea to keep a backup anyway).

Another thing, the system is completely relient on cookies, which could pose to be a problem(at first I couldn't log in, then I turned cookies on and it worked fine). Just something to think about... :)

I'll post the code later on today, and would greatly appreciate anybody willing to take thetime and effort to help me.
As for the cookies:
The system used to work by passing the username and password to the program everytime, it will take seconds to change it back; maybe I'll just have the cookies for an automatic login.

I really do appreciate all your help.
Regards

Originally posted by Scriptage
The system used to work by passing the username and password to the program everytime...I'm assuming that Perl has sessions? If so, you will probably want to use those instead of passing the username and password, as that in itself could have security implications.

perl doesn't have sessions you can only use cookies.

If I do decide to re-code the program to pass the password to the browser I will encrypt it ie:
my $enc_password = crypt($password, '8h');
print "<a href='securesite.pl?view=somepage.html&username=fred&password=$enc_password&enc=true'></a>";

Then if enc is true, instead of encrypting the password and checking against the databased, check the already encrypted password against the database.

This will stop the password from being viewable in the address bar, and because the crypt algorithm is one way encryption it should still be secure.

However, cookies are preferable (but sessions would be nice lol).

I suppose server push could do it but then again it isn't supported by IE.

Regards