[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] CGI Script Question

Subject: Re: [cobalt-users] CGI Script Question
From: "Zeffie" <cobaltlist@xxxxxxxx>
Date: Sun Aug 13 19:38:51 2000

> Cmopollux@xxxxxxx schrieb:
>
> > I am making s sign up page for customers and I was wordering if any of
you
> > know how to make a script (.pl or .cgi) that can check to see if a
username
> > is taken by any of the virtual sites?
>
> you can parse /etc/passwd, it contains all usernames in the first field.
> be careful, don`t let the cgi put out too much info.

To me this is a security problem.  If I know the usernames on a unix box
then I'm  half way in.  All I need to do is guess the passwd or automate it
to try lists of passwords. To me there is nothing in a username besides 3
things to write down.  The site, username, and passwd.  Each domain can have
it's own alias for a user even if bob's username is 12jj532 he can still get
mail addressed to bob@xxxxxxxxxxx

Having a cgi for the public that access the /etc/passwd or anything close is
a big security risk to me also.

Zeffie

Follow-Ups:
- RE: [cobalt-users] CGI Script Question
  - From: Jimmy Gross
- Re: [cobalt-users] CGI Script Question
  - From: Jeff Lasman

References:
- [cobalt-users] CGI Script Question
  - From: Cmopollux
- Re: [cobalt-users] CGI Script Question
  - From: H.P. Stroebel

Prev by Date: RE: [cobalt-users] Universal CGI-BIN
Next by Date: RE: [cobalt-users] CGI Script Question
Previous by thread: Re: [cobalt-users] CGI Script Question
Next by thread: RE: [cobalt-users] CGI Script Question

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index