I suspect that DD is maintaining its own internal database of usernames and
passwords, and validating against this before the auth request is passed on
to OpenSRS. You can do the same if you wish to build the code.
I'm not sure I see how this is a security problem, though, as it only means
that someone with the username and password for a domain can make changes
(whether they pass through your site or mine, they've not gained any access
that they wouldn't already have with the username/password). Point being,
just because DD is *MORE* restrictive than the default doesn't mean that the
default is deficient.
Regards,
Eric Longman
Atl-Connect Internet Services
+-------------------------------------------------------+
| Atl-Connect Internet Services http://www.atlcon.net |
| 3600 Dallas Hwy Ste 230-288 770 590-0888 |
| Marietta, GA 30064-1685 [EMAIL PROTECTED] |
+-------------------------------------------------------+
----- Original Message -----
From: "A. I. Sinclair" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 20, 2000 4:10 PM
Subject: Is DD script possibly more secure than RSP scripts?
A difference in RSP scripts vs Domain Direct scripts was previously raised
and addressed.
I stumbled across another which may or may not be regarded as a security
issue, but I know I am not too comfortable with it.
In essence a user with a domain registered with Tucows through an RSP, can
use another RSP's site to log into the system and maintain their domain.
So although someone is not your customer, they can still log into your site
hmmmm.....
By contrast a user, cannot log into Domain Direct. However, I am not sure if
the reverse is possible, i.e. if a user who registered with Domain Direct
can log into an RSP's site.
Of course I did not try any hanky-panky and not sure if it is even possible,
but then there are those (and I don't mean RSP's) who might get up to some
mischief.
ais
