Re: cgi communication

• To: Tudor Hulubei <pub.ro!chang!tudor>
• Subject: Re: cgi communication
• From: wjf@centerfold.com (William J. Fulco)
• Date: Sat, 2 Dec 1995 22:56:40 -0800
• Cc: www-security@ns2.rutgers.edu

Tudor,

>Both A and B are in the /cgi-bin directory.  I don't want to let
>people call B directly.  Is there any way to communicate between
>cgi scripts ?  I think A should pass the password to B, B check it
>again, and so on.  Is this correct ?
>Hidden variables are no-where secure...

Your best bet would be to keep the password-thingy as a entry in some kind
of local data-file that both the A and B cgi's can read/write - what is in
the "clear" in the URL (for "GET" or a hidden variable in a "POST"- is a
token/index that "points" to the temp-file or temp-entry... this token
should only be good until the B script ends... that way there's "window" of
security danger, but it's not that wide....

As far as not letting people "run" B directly, you can make the A script
create the "name" of the B script on the fly, by having B dispatched by
some kind of dispatching script that takes the "cookie" (see below) and
some hidden/internal state (to the server) to and creates the call to B...

>Do yuo think "hidden" form fields will do the job ?
>
To make it more secure, you can use the "cookie" mechanism for
Netscape/Microsoft browsers - check www.netscape.com/... (reference
documents) for how a cgi-bin or a nph-cgi type script can deal with
"cookies"...  Cookies aren't foolproof, but they're "better" than
hidden-variables

>Why does netscape issue that warning ?

Because, you have the "warn when submitting a form insecurely" box checked
in the netscape preferences

>Thanks,
>Tudor

(bill)

William J. Fulco
CEO, Chief Scientist
Network XXIII Corporation
wjf@NetworkXXIII.COM

• Previous: Re: source code security
• Next: Re: source code security
• Index(es):
  • Index
  • Thread