[Web-ftp] Questions
Status: Beta
Brought to you by:
aball
Menu
▾
▴
[Web-ftp] Questions
|
From: James H. T. <jh...@la...> - 2002-07-17 10:29:52
|
Hi,
Web-FTP looks like a great program.
I was looking through the source for the Version 2.0.1 puzzling out how =
it works and had a few questions:
1) It appears that $$ (process number) is used as the name for the =
socket used by the CGI script to communicate with the mini web server, =
and that it is also used as the session ID so that when a request comes =
in from a browser, the CGI scripts knows which mini web server to send =
it to. Since the process number is a fairly small number that is =
assigned in a predictable manner, wouldn't it be easy for an attacker =
to guess session IDs for other Web-FTP sessions and get access to their =
sessions?
Would it make sense to use an MD5 hash of some random info and use that =
as the session ID and socket name? Assuming the random info is actually =
unpredictable, this would make it almost impossible to guess a session =
id.
2) In the UserLogin sub it says:
if(/(?:host=3D(\S*)&)?username=3D(\S*)&password=3D(\S*)/) {
It would appear that this would fail for passwords that contain one or =
more blanks or other white space characters.
Thanks.
Jim
James H. Thompson
jh...@la...
|
