Menu
▾
▴
Re: session management
|
From: kevin b. <kev...@bi...> - 2002-03-04 17:41:14
|
hi there first thing - i am not an HTML/PERL expert - but... is there no way that perl can effecitvely wipe any password when the page loads - and then it is only the button/submit event which requests the login. again - not my area of expertise etc. but surely we should find a way to sort out this potential security risk, kev bailey >>/me knocks my embarrased head... >> >>ok, anyway, while we are at it: whoever come to my computer >>can log in my name, as the url (with the encrypted passwd) >>stay in the browser cache... >>(thanks to url completion features in IE, mozilla et al) >> >>I just type "aba" in my browser and he show me many >>urls to access sql-ledger bypassing the login dialog, >>for example, this: >>http://abacus.sql-ledger.org/sql-ledger/menu.pl?path=bin/mozilla&action= >>acc_ >>menu&login=sergio&password= >> >>note the passwd IS there (it's just blank), so skipping the login dialog >>is just too easy, even it happened me accidently... >> >>and that can be a big security problem in bussiness... >> >>/sergio >> |
