Gossamer Forum
(Advanced Search)
for
Home : Products : Links 2.0 : Customization :

user friendly modify.cgi - security problem (or my perl ineptitude?)

May 29, 1999, 4:42 PM
Kate42
User (64 posts)
May 29, 1999, 4:42 PM
Post #1 of 4
Views: 1105
Shortcut
Quote Reply
user friendly modify.cgi - security problem (or my perl ineptitude?)
Hi again!

I've been hunting around for answers to this one over the past few days, could really use some help.

I'm trying to implement the user friendly modify.cgi from Phoenix (see http://www.gossamer-threads.com/...es/Detailed/154.html ).

I've added a password field to my database, which seems to be fine. When I go to modify.cgi, I get the purple form, so far, so good. When I type in a password that is in the database, I get the given record associated with that password. Also good.

Here's the problem:

If I click on the password field and type nothing (leave it blank), and then hit enter, I'm given a list of all the records to modify (with the radio buttons, just as in the admin interface). This obviously can't remain that way, as it would give away all the passwords in the database *and* allow anyone to modify any record.

I wish I could post a URL to show you an example, but I'm nowhere near ready to release this portion of the site. If you really need to see, let me know and I'll duplicate the problem in a dummy (fake) database.

Any help would be appreciated!

Best,
Kate

------------------
www.floor42.com
May 30, 1999, 1:46 PM
oldmoney
User (431 posts)
oldmoney's avatar
May 30, 1999, 1:46 PM
Post #2 of 4
Views: 1056
Shortcut
Quote Reply
Re: user friendly modify.cgi - security problem (or my perl ineptitude?) In reply to
Kate, I was able to duplicate the behavior (bug?) you describe. Thanks for bringing it to my attention... I have disabled the "user friendly" modify.cgi and gone back to the original "not so easy, but more secure" modify.cgi for the time being. Prior to your post, I was thinking that link modification should require at least two pieces of information anyway (email & password?).

My perl is also not up to snuff to debug this. There is apparently quite a bit of code that may or may not be used in sub querynew, including this call which should spit out a null password search...

# If we don't have anything to search on, let's complain.
if (!@search_fields and !@search_gt_fields and !@search_lt_fields) {
return "no search terms specified";
}

[This message has been edited by oldmoney (edited May 30, 1999).]
May 31, 1999, 6:37 PM
Kate42
User (64 posts)
May 31, 1999, 6:37 PM
Post #3 of 4
Views: 1054
Shortcut
Quote Reply
Re: user friendly modify.cgi - security problem (or my perl ineptitude?) In reply to
oldmoney,

Thanks for the reply, and for pointing it out in the other thread.

I'm going to play around with it some more and hope that we get an answer now that the long weekend is over. I'll be sure to share if I, through a stroke of dumb luck, stumble upon the magic code Wink

a little update (4:13am, 6/1/99): for now, I've stopped trying to find this myself, it's beyond my Perl scope Smile

[This message has been edited by Kate42 (edited June 01, 1999).]
Jun 10, 1999, 5:44 PM
oldmoney
User (431 posts)
oldmoney's avatar
Jun 10, 1999, 5:44 PM
Post #4 of 4
Views: 1048
Shortcut
Quote Reply
Re: user friendly modify.cgi - security problem (or my perl ineptitude?) In reply to
Apparently this mod has been orphaned... http://www.gossamer-threads.com/...um3/HTML/001802.html