Menu
▾
▴
expectperl-discuss
|
From: Roland G. <r.g...@xs...> - 2001-07-02 16:03:06
|
Aziz Ihsanoglu wrote: > > thanks for warning me for the security issues. What I am trying to do is > building an e-commerce for my course project. It requires that the customers > should sign the purchase order and mail it to the orders department so he > cannot deny that he did the order. That's why I have to generate keys for > every customer when they register to the site. OK, it's only for a course, but this design has severe security flaws in it. How exactly are you verifying your customers identity when he registers at your website? The best you can do is to verify his address by sending him a password via postal mail and/or his phone number by calling him back. Just letting anybody register and giving them a key for later perusal doesn't buy anything security-wise. Also, are you requiring that your customers install PGP? Not a good choice. PGP needs too much technical expertise to handle and install. I would use other ways: you can have the webbrowser create a key pair, sending the public part to your server and storing the private part. Netscape uses a <KEYGEN> HTML tag, don't know about Explorer. Only my EUR 0.02 > I couldn't find any ways > doing this without using expect. I actually solved that part with send_slow > function and some loops. but my cgi script is not working great from > apache. when I run it with root access it doesn't have any problem. I tried > to setuid the script but it gives an error on the 114th line of the > expect.pm. It would have been helpful if you had posted the error message... > What do you think is problem. ANy help would be appreciated/ > Thank you. I guess it's a tainting problem. Some part of the command given to spawn comes from an unreliable source and is thus tainted. See 'perldoc perlsec'... Hope this helps, Roland > > > > a-i...@no... wrote: > > > > > > I have a small problem with expect.pm. I am using expect module to create pgp > > > keys with my pgp program. The problem is since expect just enters the data with > > > constant time, pgp cannot doesn't collect enough random data and that's why > > > cannot create the keys instantly and requires user to enter some random data > > > from the keyboard. I tried to print some long random text but pgp doesn't get > > > any of it. I think it requires the random data to be inputted from the > > > keyboard. Is there any way to do that? Any help would be appreciated. Thanks in > > > advance. > > > > Well, this isn't supposed to work that way. PGP does everything to get > > real random numbers by timing the user keystrokes, and this requires > > low-level interaction wiht the keyboard driver, circumventing the regular > > pty that Expect uses. > > > > So basically, this is a PGP issue: if you can get PGP to not query the user > > for random bits, then it is doable. > > > > On the other hand: why would you want to automate such a security-sensitive > > action? The keys are to be protected by a pass-phrase, which should be > > kept secret by all means, so automating this is counter-productive. > > Creating a public/secret key pair is analogue to opening a bank account, > > something that you don't do on a daily basis either. > > > > Hope this helps, > > > > Roland > > -- > > RGi...@cp... > > > > _______________________________________________ > > Expectperl-discuss mailing list > > Exp...@li... > > http://lists.sourceforge.net/lists/listinfo/expectperl-discuss > > -- RGi...@cp... |
|
From: <a-i...@no...> - 2001-07-03 16:35:28
|
Thanks for your advices. well I have read perlsec and stuff about tainted
variables. But I don't really have time to change my code since my course
project is due this Thursday. I am just trying to implement this key and
encryption functions besides the regular e-commerce site. Now I think I am
getting closer to find out a working - but probably not as secure as it sounds
- implementation. First of all when I run the cgi script as setuid (I have
created the script as a root) I got this error message before generating the
key
Insecure $ENV{PATH} while running setuid at
/usr/lib/perl5/site_perl/5.6.0/Expect.pm line 114. This is where expect
executes the spawn command.
if I run the perl script as normal permissions (execute for owner, others and
users) then I received to different responses depending that I am connected to
the net or not. If I am, right after expect module finishes generating the pgp
key something happens and I start seeing on my web browser thousands of "key
generation completed" string without stopping and I have to hit the stop
button. If I am not connected to the net and run the script from localhost.
Everything is fine except that since I am not connected to the net it doesn't
send the encrypted purchase orders via email.
Funny thing is when I run the script with given information on the command line
and disabling cgi module then it runs perfectly(even sends the email) from both
apache user and as a root. I don't really know what to do. So what do you
think is the problem? thanks
aziz
>
> Aziz Ihsanoglu wrote:
> >
> > thanks for warning me for the security issues. What I am trying to do is
> > building an e-commerce for my course project. It requires that the
customers
> > should sign the purchase order and mail it to the orders department so he
> > cannot deny that he did the order. That's why I have to generate keys for
> > every customer when they register to the site.
>
> OK, it's only for a course, but this design has severe security flaws
> in it. How exactly are you verifying your customers identity when he
> registers at your website? The best you can do is to verify his address
> by sending him a password via postal mail and/or his phone number by
> calling him back. Just letting anybody register and giving them a
> key for later perusal doesn't buy anything security-wise.
>
> Also, are you requiring that your customers install PGP? Not a good choice.
> PGP needs too much technical expertise to handle and install.
> I would use other ways: you can have the webbrowser create a key pair,
> sending the public part to your server and storing the private part.
> Netscape uses a <KEYGEN> HTML tag, don't know about Explorer.
>
> Only my EUR 0.02
>
> > I couldn't find any ways
> > doing this without using expect. I actually solved that part with send_slow
> > function and some loops. but my cgi script is not working great from
> > apache. when I run it with root access it doesn't have any problem. I tried
> > to setuid the script but it gives an error on the 114th line of the
> > expect.pm.
>
> It would have been helpful if you had posted the error message...
>
> > What do you think is problem. ANy help would be appreciated/
> > Thank you.
>
> I guess it's a tainting problem. Some part of the command given to
> spawn comes from an unreliable source and is thus tainted. See
> 'perldoc perlsec'...
>
> Hope this helps,
>
> Roland
>
> > >
> > > a-i...@no... wrote:
> > > >
> > > > I have a small problem with expect.pm. I am using expect module to
create pgp
> > > > keys with my pgp program. The problem is since expect just enters the
data with
> > > > constant time, pgp cannot doesn't collect enough random data and that's
why
> > > > cannot create the keys instantly and requires user to enter some random
data
> > > > from the keyboard. I tried to print some long random text but pgp
doesn't get
> > > > any of it. I think it requires the random data to be inputted from the
> > > > keyboard. Is there any way to do that? Any help would be appreciated.
Thanks in
> > > > advance.
> > >
> > > Well, this isn't supposed to work that way. PGP does everything to get
> > > real random numbers by timing the user keystrokes, and this requires
> > > low-level interaction wiht the keyboard driver, circumventing the regular
> > > pty that Expect uses.
> > >
> > > So basically, this is a PGP issue: if you can get PGP to not query the
user
> > > for random bits, then it is doable.
> > >
> > > On the other hand: why would you want to automate such a
security-sensitive
> > > action? The keys are to be protected by a pass-phrase, which should be
> > > kept secret by all means, so automating this is counter-productive.
> > > Creating a public/secret key pair is analogue to opening a bank account,
> > > something that you don't do on a daily basis either.
> > >
> > > Hope this helps,
> > >
> > > Roland
> > > --
> > > RGi...@cp...
> > >
> > > _______________________________________________
> > > Expectperl-discuss mailing list
> > > Exp...@li...
> > > http://lists.sourceforge.net/lists/listinfo/expectperl-discuss
> > >
>
> --
> RGi...@cp...
>
> _______________________________________________
> Expectperl-discuss mailing list
> Exp...@li...
> http://lists.sourceforge.net/lists/listinfo/expectperl-discuss
>
|
|
From: Roland G. <r.g...@xs...> - 2001-07-04 07:55:17
|
a-i...@no... wrote:
>
> Thanks for your advices. well I have read perlsec and stuff about tainted
> variables. But I don't really have time to change my code since my course
> project is due this Thursday. I am just trying to implement this key and
> encryption functions besides the regular e-commerce site. Now I think I am
> getting closer to find out a working - but probably not as secure as it sounds
> - implementation. First of all when I run the cgi script as setuid (I have
> created the script as a root) I got this error message before generating the
> key
>
> Insecure $ENV{PATH} while running setuid at
> /usr/lib/perl5/site_perl/5.6.0/Expect.pm line 114. This is where expect
> executes the spawn command.
Right. And the error means that you haven't set or filtered the PATH.
When perl runs setuid root, it automatically enabels taint checking.
As the PATH comes from outside (not under perl's control), it is set
tainted, which means that it needs special treatment so as to not open
a security hole (by changing the PATH, an intruder could run arbitrary
programs as root).
The solution is simple: just set $ENV{PATH} to some fixed value appropriate
for your system inside your script, e.g. /bin:/usr/bin:/path/to/pgp
That way, the PATH becomes untainted and the exec succeeds.
Hope this helps,
Roland
PS: don't know if you are required to use PGP keys, but if not it would be
much easier just to give the customer a list of TANs upon sign-up and the
customer has to send one TAN with every e-mail order. Creation of TANs
is very easy to do by yourself (just create them randomly from a dictionary
of letter and numbers, leaving out similar characters like 'l' and '1',
'0' and 'O', '8' and 'B'), it makes no difference if you store the PGP keys
or the TAN lists and the verification process isn't too different either.
But the customer has to get a new TAN list from time to time, when
the old ones are depleted.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X