* Jeff MacDonald <jeff@hub.org> [000114 13:38] wrote:
> hey folks,
>
> this is a security issue i'd like to get some info
> on, i'm sure it's more with cgi than postgres, but
> heck.
>
> issue: how to secure cgi's that access postgres
>
> problem: passwords for postgres database are stored
> in plain text in scripts. (lets assume, perl,
> not a compiled language)
>
> points:
> make cgi dir 711
> big deal, they can get the name of the file
> from the web, and copy it.
how about sourcing a conf file that's in a 700 dir?
>
> set an obscure cgi script alias in apache
> big deal, they can read the cgi conf file.
>
> this is assuming they already have an account
> on the machine, something that cannot be ruled
> out.
>
> question in short: how to make perl accessing databases
> more secure, so any jack can't modify a database.
>
> thanks in advance.
>
> Jeff MacDonald
> jeff@hub.org
>
--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]