OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Daryl Martin (darylmtera.engr.mun.ca)
Date: Mon Jan 07 2002 - 16:59:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Robert,
            At my most recent job I had the joy of playing with PHP/HTML and
    MySQL. Since this page was only accessable on the internal network I was
    not to conscious about securtiy but here are a few things you might want
    to try.

    1. Make a https connection when sending passwords over the
    interent/intranet.
    2. I myself would use MySQL to encrypt the passwords and store them for
    me. I didn't want them to lie around as plain text in a database or a
    text file.
    3. You can limit the IP address that can access the page. I only let
    address from 192.168.1.* into my pages.

    Just a few basic ideas on protecting your page.

    Cheers,

    Daryl Martin
    Computer Engineering
    Memorial University
    darylmengr.mun.ca

    On Sun, 6 Jan 2002, Robert Buljevic wrote:

    > Hi,
    >
    > I have a PHP/HTML based back-end for updating a MySQL database. Now, what
    > are my options in protecting this backend, besides HTTP basic authentication
    > (since this one is relatively insecure)?
    > Would PHP sessions be more appropriate?
    > Or using cookies with some encryption (md5, etc)?
    >
    > Any suggestions?
    >
    > Best regards,
    >
    > Robert Buljevic
    >
    >
    > ----- Original Message -----
    > From: <Len_LattanziStanfordAlumni.org>
    > To: <webappsecsecurityfocus.com>
    > Sent: Sunday, January 06, 2002 3:04 AM
    > Subject: Re: OWASP January Guest Paper - HTTP Authentication
    >
    >
    > > On 2002-01-05 17:17:35 -0800, Mark Curphey wrote:
    > > > Dave Zimmer wrote this great paper on HTTP Authentication for the new
    > > > Monthly OWASP Guest White paper section.
    > > >
    > > > http://www.owasp.org/resources/whitepapers/http_authentication.txt
    > > >
    > > Nice summary. I'd add the following caveats.
    > >
    > > While Apache supports digest authentication only a few clients support
    > > it such as wget, amaya and mozilla. Notably neither IE5.5 nor NS4.7x do.
    > >
    > > To test a client try
    > > http://jigsaw.w3.org/HTTP/Digest/
    > >
    > > both wget and mozilla can handle
    > > jigsaw.w3.org/HTTP/Digest/">http://guest:guestjigsaw.w3.org/HTTP/Digest/
    > >
    > > -Len
    > >
    >
    >