We help IT Professionals succeed at work.

Securing a Perl login script

BrianPap22
BrianPap22 asked
on
Medium Priority
229 Views
Last Modified: 2010-03-04
I'm not an expert in Perl by any means, but here I went ahead and wrote a tiny login script.  I would like to make the script as secure as possible, both from a malicious user entering in bogus data, and from my own dumb self :)

I have not gotten any responses in the Web Languages - CGI section, so I have no choice but to post a pointer question in the Perl forum (perhaps I should have posted it here in the first place?). Please take a look.  Thank you.

https://www.experts-exchange.com/Web/Web_Languages/CGI/Q_20944860.html
Comment
Watch Question

Actually u can avoid the for loop.

Change: my @pwfile = <PWFILE>;      to    undef($/); my $pwfile = <PWFILE>;

and then, instead of the for loop place this:

     if (
          $pwfile=~m/
               (?:^|(?<=\n))$user:               # Line begins with "$user:".
               (\$1\$.{8}\$)     # Backreference 1: 12 character salt value: "$1$xxxxxxxx$".
               (.{22})               # Backreference 2: 22 character encrypted password.
               (?=$|\n)              # Line ends.
          /ox
          && $1.$2 eq unix_md5_crypt($pass,$1)     # When we match $user, check the password.
     )
     {
          print "Authorized...";     # Do some quick/short stuff here.
          exit;                              # No more need to continue the search.
     }


And, regarding this security, you have done it perfectly.  I'm sorry, I dont see a way to improve that.
Dave CrossPerl programmer, author and trainer
CERTIFIED EXPERT

Commented:
You should never change one of Perl's internal variables (like $/) without localising it first

my $pwfile = do { local $/; <PWFILE> }

Dave...

Author

Commented:
Ah well, the script runs rather well as it is right now.  I made a dummy sample "database".  One run takes less than 0.01 seconds.  I looped it and ran it 1000 times and it ran in 0.39 seconds...so no worries about efficiency at this point. Security is numero uno here.

Commented:
The main thing that I would change is to put the passwords file in a directory that is not web accessible.  Personally I would put it in a subdirectory of the ~ where the scripts are in a different sub-directory.  I would make sure that the sub s not accessible.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.