Solved

Securing a Perl login script

Posted on 2004-04-06
6
196 Views
Last Modified: 2010-03-04
I'm not an expert in Perl by any means, but here I went ahead and wrote a tiny login script.  I would like to make the script as secure as possible, both from a malicious user entering in bogus data, and from my own dumb self :)

I have not gotten any responses in the Web Languages - CGI section, so I have no choice but to post a pointer question in the Perl forum (perhaps I should have posted it here in the first place?). Please take a look.  Thank you.

http://www.experts-exchange.com/Web/Web_Languages/CGI/Q_20944860.html
0
Comment
Question by:BrianPap22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 4

Expert Comment

by:vi_srikanth
ID: 10771799
Actually u can avoid the for loop.

Change: my @pwfile = <PWFILE>;      to    undef($/); my $pwfile = <PWFILE>;

and then, instead of the for loop place this:

     if (
          $pwfile=~m/
               (?:^|(?<=\n))$user:               # Line begins with "$user:".
               (\$1\$.{8}\$)     # Backreference 1: 12 character salt value: "$1$xxxxxxxx$".
               (.{22})               # Backreference 2: 22 character encrypted password.
               (?=$|\n)              # Line ends.
          /ox
          && $1.$2 eq unix_md5_crypt($pass,$1)     # When we match $user, check the password.
     )
     {
          print "Authorized...";     # Do some quick/short stuff here.
          exit;                              # No more need to continue the search.
     }


And, regarding this security, you have done it perfectly.  I'm sorry, I dont see a way to improve that.
0
 
LVL 8

Expert Comment

by:davorg
ID: 10772272
You should never change one of Perl's internal variables (like $/) without localising it first

my $pwfile = do { local $/; <PWFILE> }

Dave...
0
 
LVL 4

Author Comment

by:BrianPap22
ID: 10772520
Ah well, the script runs rather well as it is right now.  I made a dummy sample "database".  One run takes less than 0.01 seconds.  I looped it and ran it 1000 times and it ran in 0.39 seconds...so no worries about efficiency at this point. Security is numero uno here.
0
 
LVL 8

Expert Comment

by:jhurst
ID: 10802261
The main thing that I would change is to put the passwords file in a directory that is not web accessible.  Personally I would put it in a subdirectory of the ~ where the scripts are in a different sub-directory.  I would make sure that the sub s not accessible.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11058510
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been pestered over the years to produce and distribute regular data extracts, and often the request have explicitly requested the data be emailed as an Excel attachement; specifically Excel, as it appears: CSV files confuse (no Red or Green h…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Six Sigma Control Plans

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question