[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] CGI Script Question
- Subject: RE: [cobalt-users] CGI Script Question
- From: "Jimmy Gross" <jimmy@xxxxxxxxxxxxxxx>
- Date: Sun Aug 13 19:53:29 2000
If that were true the the username admin is a security risk.
jimmy
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Zeffie
Sent: Sunday, August 13, 2000 7:42 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] CGI Script Question
> Cmopollux@xxxxxxx schrieb:
>
> > I am making s sign up page for customers and I was wordering if any of
you
> > know how to make a script (.pl or .cgi) that can check to see if a
username
> > is taken by any of the virtual sites?
>
> you can parse /etc/passwd, it contains all usernames in the first field.
> be careful, don`t let the cgi put out too much info.
To me this is a security problem. If I know the usernames on a unix box
then I'm half way in. All I need to do is guess the passwd or automate it
to try lists of passwords. To me there is nothing in a username besides 3
things to write down. The site, username, and passwd. Each domain can have
it's own alias for a user even if bob's username is 12jj532 he can still get
mail addressed to bob@xxxxxxxxxxx
Having a cgi for the public that access the /etc/passwd or anything close is
a big security risk to me also.
Zeffie
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users