Solved

Securing a Perl login script

Posted on 2004-04-06
6
179 Views
Last Modified: 2010-03-04
I'm not an expert in Perl by any means, but here I went ahead and wrote a tiny login script.  I would like to make the script as secure as possible, both from a malicious user entering in bogus data, and from my own dumb self :)

I have not gotten any responses in the Web Languages - CGI section, so I have no choice but to post a pointer question in the Perl forum (perhaps I should have posted it here in the first place?). Please take a look.  Thank you.

http://www.experts-exchange.com/Web/Web_Languages/CGI/Q_20944860.html
0
Comment
Question by:BrianPap22
6 Comments
 
LVL 4

Expert Comment

by:vi_srikanth
ID: 10771799
Actually u can avoid the for loop.

Change: my @pwfile = <PWFILE>;      to    undef($/); my $pwfile = <PWFILE>;

and then, instead of the for loop place this:

     if (
          $pwfile=~m/
               (?:^|(?<=\n))$user:               # Line begins with "$user:".
               (\$1\$.{8}\$)     # Backreference 1: 12 character salt value: "$1$xxxxxxxx$".
               (.{22})               # Backreference 2: 22 character encrypted password.
               (?=$|\n)              # Line ends.
          /ox
          && $1.$2 eq unix_md5_crypt($pass,$1)     # When we match $user, check the password.
     )
     {
          print "Authorized...";     # Do some quick/short stuff here.
          exit;                              # No more need to continue the search.
     }


And, regarding this security, you have done it perfectly.  I'm sorry, I dont see a way to improve that.
0
 
LVL 8

Expert Comment

by:davorg
ID: 10772272
You should never change one of Perl's internal variables (like $/) without localising it first

my $pwfile = do { local $/; <PWFILE> }

Dave...
0
 
LVL 4

Author Comment

by:BrianPap22
ID: 10772520
Ah well, the script runs rather well as it is right now.  I made a dummy sample "database".  One run takes less than 0.01 seconds.  I looped it and ran it 1000 times and it ran in 0.39 seconds...so no worries about efficiency at this point. Security is numero uno here.
0
 
LVL 8

Expert Comment

by:jhurst
ID: 10802261
The main thing that I would change is to put the passwords file in a directory that is not web accessible.  Personally I would put it in a subdirectory of the ~ where the scripts are in a different sub-directory.  I would make sure that the sub s not accessible.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11058510
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
perl to mysql 5 128
How to strip .csv from file name 9 75
perl to convert excel to csv 3 148
How to generate square thumbnail using perl 13 68
I've just discovered very important differences between Windows an Unix formats in Perl,at least 5.xx.. MOST IMPORTANT: Use Unix file format while saving Your script. otherwise it will have ^M s or smth likely weird in the EOL, Then DO NOT use m…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now