On Sun, 17 Mar 2002, Shlomi Fish wrote:
> On Sat, 16 Mar 2002, mulix wrote:
>
> > On Sat, Mar 16, 2002 at 06:10:18PM +0200, Shlomi Fish wrote:
> > > On Sat, 16 Mar 2002, mulix wrote:
> >
> > > > show me how a script that fulfills the function required can be made
> > > > secure, please...
> > >
> > > Simple, by making sure that:
> > >
> > > 1. The filename does not contain slashes at all.
> > > 2. The filename does not start with a dot.
> > > 3. The file is up to a certain size.
> > > 4. The total size of the directory is up to a certain size.
> > > 5. The file is always created with the same permissions which are not
> > > executable.
> > >
> > > It requires some sanity checks, but it is doable.
> >
> > gah, you completely missed the point.
> >
> > do you allow *any* user to upload a file? if not, you need to
> > authenticate them. please show me how to do that securely and with
> > resilience to a man in the middle attach or a replay attack, without
> > going to too much effort in a cgi script. if you do allow any user, i
> > claim that your cgi is insecure by default.
>
> I'm not going to allow any user. What I am going to do is use SSL or
> something like that. I don't know if SSL allows a man in the middle
> attack, because I'm not an expert in Crypto{graphy,logy}. But I think a
> man in the middle cannot duplicate the iglu.org.il's SSL certificate.
>
As you said, SSL authenticates the server
(Yeh, right. When was the last time you bothered checking certificates?)
What about the clients?
Anyway, authentication is just the first part: how do you let your scripts
manipulate thoses files? they must either be writable to the user/group of
the web server (and thus modifiable by any script-going-wild) or be SUID
or SGID. You have ot be very careful with handling *any* user input This
mans that the interface will not be flexible enough.
--
Tzafrir Cohen
mailto:[EMAIL PROTECTED]
http://www.technion.ac.il/~tzafrir
----------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED]
Archives available at http://www.mail-archive.com/[email protected]/
