Solved

Securing a Perl login script

Posted on 2004-04-06
6
187 Views
Last Modified: 2010-03-04
I'm not an expert in Perl by any means, but here I went ahead and wrote a tiny login script.  I would like to make the script as secure as possible, both from a malicious user entering in bogus data, and from my own dumb self :)

I have not gotten any responses in the Web Languages - CGI section, so I have no choice but to post a pointer question in the Perl forum (perhaps I should have posted it here in the first place?). Please take a look.  Thank you.

http://www.experts-exchange.com/Web/Web_Languages/CGI/Q_20944860.html
0
Comment
Question by:BrianPap22
6 Comments
 
LVL 4

Expert Comment

by:vi_srikanth
ID: 10771799
Actually u can avoid the for loop.

Change: my @pwfile = <PWFILE>;      to    undef($/); my $pwfile = <PWFILE>;

and then, instead of the for loop place this:

     if (
          $pwfile=~m/
               (?:^|(?<=\n))$user:               # Line begins with "$user:".
               (\$1\$.{8}\$)     # Backreference 1: 12 character salt value: "$1$xxxxxxxx$".
               (.{22})               # Backreference 2: 22 character encrypted password.
               (?=$|\n)              # Line ends.
          /ox
          && $1.$2 eq unix_md5_crypt($pass,$1)     # When we match $user, check the password.
     )
     {
          print "Authorized...";     # Do some quick/short stuff here.
          exit;                              # No more need to continue the search.
     }


And, regarding this security, you have done it perfectly.  I'm sorry, I dont see a way to improve that.
0
 
LVL 8

Expert Comment

by:davorg
ID: 10772272
You should never change one of Perl's internal variables (like $/) without localising it first

my $pwfile = do { local $/; <PWFILE> }

Dave...
0
 
LVL 4

Author Comment

by:BrianPap22
ID: 10772520
Ah well, the script runs rather well as it is right now.  I made a dummy sample "database".  One run takes less than 0.01 seconds.  I looped it and ran it 1000 times and it ran in 0.39 seconds...so no worries about efficiency at this point. Security is numero uno here.
0
 
LVL 8

Expert Comment

by:jhurst
ID: 10802261
The main thing that I would change is to put the passwords file in a directory that is not web accessible.  Personally I would put it in a subdirectory of the ~ where the scripts are in a different sub-directory.  I would make sure that the sub s not accessible.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 11058510
PAQed, with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've just discovered very important differences between Windows an Unix formats in Perl,at least 5.xx.. MOST IMPORTANT: Use Unix file format while saving Your script. otherwise it will have ^M s or smth likely weird in the EOL, Then DO NOT use m…
Many time we need to work with multiple files all together. If its windows system then we can use some GUI based editor to accomplish our task. But what if you are on putty or have only CLI(Command Line Interface) as an option to  edit your files. I…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question