database authentication script
Glen Davies
glen at rimu.cce.ac.nz
Mon Apr 26 17:29:07 EDT 1999
> Glen,
>
> You may realize this, but you have two glaring security holes in this
> temporary solution.
>
> (1) You are sending usernames and passwords unencrypted across
> the network.
The user ids in our case our just library barcodes and pin numbers.
The only thing a hacker could do with them is place a hold for
someone or renew their books, or login to ERIC maybe. (And none
of our database vendors use encryption for their logins anyway, so
they are obviously not too concerned about their logins falling into
the wrong hands) Obviously you would not want to use this script if
your database login ids were the same as your LAN logins.
> (2) You embed the generic username and password for the database
>in the HTML returned after successful user authentication.
>Anyone who does a "view source" can clearly read the hidden
>form fields.
Similar to above. If they get this form returned they have passed
the userid check, so it doesn't matter if they see the actual userid
and password that is being used to log in to the vendor database. I
can change this userid and password as often as I like, and if their
library membership expires they won't be able to get back to this
form to see the new one. (unless they are clever, and who am I to
stifle ingenuity!)
> How are the All Blacks looking for the World Cup this year?
We'll clean 'em up this time!! And the America's Cup! ;-)
********************************************
Glen Davies
IT Librarian
Christchurch College of Education
Dovedale Ave
Christchurch
Ph. 64-3-343 7737
glen at rimu.cce.ac.nz
http://lib.cce.ac.nz
************************************************
A man's life consisteth not in the abundance
of the things which he possesseth (Luke 12:15)
************************************************
More information about the Web4lib
mailing list