BrianPap22
asked on
Securing a Perl login script
I'm not an expert in Perl by any means, but here I went ahead and wrote a tiny login script. I would like to make the script as secure as possible, both from a malicious user entering in bogus data, and from my own dumb self :)
I have not gotten any responses in the Web Languages - CGI section, so I have no choice but to post a pointer question in the Perl forum (perhaps I should have posted it here in the first place?). Please take a look. Thank you.
https://www.experts-exchange.com/questions/20944860/Securing-a-Perl-login-script.html
I have not gotten any responses in the Web Languages - CGI section, so I have no choice but to post a pointer question in the Perl forum (perhaps I should have posted it here in the first place?). Please take a look. Thank you.
https://www.experts-exchange.com/questions/20944860/Securing-a-Perl-login-script.html
You should never change one of Perl's internal variables (like $/) without localising it first
my $pwfile = do { local $/; <PWFILE> }
Dave...
my $pwfile = do { local $/; <PWFILE> }
Dave...
ASKER
Ah well, the script runs rather well as it is right now. I made a dummy sample "database". One run takes less than 0.01 seconds. I looped it and ran it 1000 times and it ran in 0.39 seconds...so no worries about efficiency at this point. Security is numero uno here.
The main thing that I would change is to put the passwords file in a directory that is not web accessible. Personally I would put it in a subdirectory of the ~ where the scripts are in a different sub-directory. I would make sure that the sub s not accessible.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Change: my @pwfile = <PWFILE>; to undef($/); my $pwfile = <PWFILE>;
and then, instead of the for loop place this:
if (
$pwfile=~m/
(?:^|(?<=\n))$user: # Line begins with "$user:".
(\$1\$.{8}\$) # Backreference 1: 12 character salt value: "$1$xxxxxxxx$".
(.{22}) # Backreference 2: 22 character encrypted password.
(?=$|\n) # Line ends.
/ox
&& $1.$2 eq unix_md5_crypt($pass,$1) # When we match $user, check the password.
)
{
print "Authorized..."; # Do some quick/short stuff here.
exit; # No more need to continue the search.
}
And, regarding this security, you have done it perfectly. I'm sorry, I dont see a way to improve that.