Re: [Web-ftp] Questions

[Anthony R. J. B. <an...@su...>]

> Web-FTP looks like a great program.
> I was looking through the source for the  Version 2.0.1 puzzling out how it works and had a few questions:

> 1) It appears that $$ (process number) is used as the name for the socket used by the CGI script to communicate with the mini web server, and that it is also used as the session ID so that when a request comes in from a browser, the CGI scripts knows which mini web server to send it to.  Since the process number is a fairly small number that is assigned in a predictable manner,  wouldn't it be easy for an attacker to guess session IDs for other Web-FTP sessions and get access to their sessions?
> Would it make sense to use an MD5 hash of some random info and use that as the session ID and socket name?  Assuming the random info is actually unpredictable, this would make it almost impossible to guess a session id.

  Actually, it is the processid, forced to six digits, followed by random
data... see genCookie in MiniServer.pm

  Though I haven't changed the random data logic I don't think since I took
it over...

> 2) In the UserLogin sub it says:
> 
>     if(/(?:host=(\S*)&)?username=(\S*)&password=(\S*)/) {
> 
> It would appear that this would fail for passwords that contain one or more blanks or other white space characters.

  This is true... change the \S* to .*? if you want... that should solve it.

-- 
 ___  __  __    __  _  _  ____    _  _  ____  ____ 
/ __)(  )(  )  /__\( \/ )( ___)  ( \( )( ___)(_  _)
\__ \ )(__)(  /(__)\\  /  )__)    )  (  )__)   )(  
(___/(______)(__)(__)\/  (____)()(_)\_)(____) (__) 
I'm not mooning, I'm obsessing. There's a difference. -Dick, 3rd Rock