Re: [Expectperl-discuss] keyboard input

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks for your advices. well I have read perlsec and stuff about tainted 
variables. But I don't really have time to change my code since my course 
project is due this Thursday. I am just trying to implement this key and 
encryption functions besides the regular e-commerce site. Now I think I am 
getting closer to find out a working - but probably not as secure as it sounds 
- implementation. First of all when I run the cgi script as setuid (I have 
created the script as a root) I got this error message before generating the 
key 

Insecure $ENV{PATH} while running setuid at 
/usr/lib/perl5/site_perl/5.6.0/Expect.pm line 114. This is where expect 
executes the spawn command. 

if I run the perl script as normal permissions (execute for owner, others and 
users) then I received to different responses depending that I am connected to 
the net or not. If I am, right after expect module finishes generating the pgp 
key something happens and I start seeing on my web browser thousands of "key 
generation completed" string without stopping and I have to hit the stop 
button. If I am not connected to the net and run the script from localhost. 
Everything is fine except that since I am not connected to the net it doesn't 
send the encrypted purchase orders via email. 

Funny thing is when I run the script with given information on the command line 
and disabling cgi module then it runs perfectly(even sends the email) from both 
 apache user and as a root. I don't really know what to do. So what do you 
think is the problem? thanks 

aziz 
> 
> Aziz Ihsanoglu wrote: 
> > 
> > thanks for warning me for the security issues. What I am trying to do is 
> > building an e-commerce for my course project. It requires that the 
customers 
> > should sign the purchase order and mail it to the orders department so he 
> > cannot deny that he did the order. That's why I have to generate keys for 
> > every customer when they register to the site. 
> 
> OK, it's only for a course, but this design has severe security flaws 
> in it.  How exactly are you verifying your customers identity when he 
> registers at your website?  The best you can do is to verify his address 
> by sending him a password via postal mail and/or his phone number by 
> calling him back.  Just letting anybody register and giving them a 
> key for later perusal doesn't buy anything security-wise. 
> 
> Also, are you requiring that your customers install PGP?  Not a good choice. 
> PGP needs too much technical expertise to handle and install. 
> I would use other ways:  you can have the webbrowser create a key pair, 
> sending the public part to your server and storing the private part. 
> Netscape uses a <KEYGEN> HTML tag, don't know about Explorer. 
> 
> Only my EUR 0.02 
> 
> > I couldn't find any ways 
> > doing this without using expect. I actually solved that part with send_slow 
> > function and some loops. but my cgi script is not working great from 
> > apache. when I run it with root access it doesn't have any problem. I tried 
> > to setuid the script but it gives an error on the 114th line of the 
> > expect.pm. 
> 
> It would have been helpful if you had posted the error message... 
> 
> > What do you think is problem. ANy help would be appreciated/ 
> > Thank you. 
> 
> I guess it's a tainting problem.  Some part of the command given to 
> spawn comes from an unreliable source and is thus tainted.  See 
> 'perldoc perlsec'... 
> 
> Hope this helps, 
> 
> Roland 
> 
> > > 
> > > a-i...@no... wrote: 
> > > > 
> > > > I have a small problem with expect.pm. I am using expect module to 
create pgp 
> > > > keys with my pgp program. The problem is since expect just enters the 
data with 
> > > > constant time, pgp cannot doesn't collect enough random data and that's 
why 
> > > > cannot create the keys instantly and requires user to enter some random 
data 
> > > > from the keyboard. I tried to print some long random text but pgp 
doesn't get 
> > > > any of it. I think it requires the random data to be inputted from the 
> > > > keyboard. Is there any way to do that? Any help would be appreciated. 
Thanks in 
> > > > advance. 
> > > 
> > > Well, this isn't supposed to work that way.  PGP does everything to get 
> > > real random numbers by timing the user keystrokes, and this requires 
> > > low-level interaction wiht the keyboard driver, circumventing the regular 
> > > pty that Expect uses. 
> > > 
> > > So basically, this is a PGP issue: if you can get PGP to not query the 
user 
> > > for random bits, then it is doable. 
> > > 
> > > On the other hand:  why would you want to automate such a 
security-sensitive 
> > > action?  The keys are to be protected by a pass-phrase, which should be 
> > > kept secret by all means, so automating this is counter-productive. 
> > > Creating a public/secret key pair is analogue to opening a bank account, 
> > > something that you don't do on a daily basis either. 
> > > 
> > > Hope this helps, 
> > > 
> > > Roland 
> > > -- 
> > > RGi...@cp... 
> > > 
> > > _______________________________________________ 
> > > Expectperl-discuss mailing list 
> > > Exp...@li... 
> > > http://lists.sourceforge.net/lists/listinfo/expectperl-discuss 
> > > 
> 
> -- 
> RGi...@cp... 
> 
> _______________________________________________ 
> Expectperl-discuss mailing list 
> Exp...@li... 
> http://lists.sourceforge.net/lists/listinfo/expectperl-discuss 
> 