Re: passwd by WWW

To: debian-security@lists.debian.org
Cc: Alain Tesio <alain@onesite.org>
Subject: Re: passwd by WWW
From: Marcin Bednarz <mbednarz@student.uci.agh.edu.pl>
Date: Tue, 23 Apr 2002 19:18:18 +0200 (CEST)
Message-id: <[🔎] Pine.GSO.4.44.0204231912360.4872-100000@student.uci.agh.edu.pl>
In-reply-to: <[🔎] 20020422145836.7e148640.alain@onesite.org>

Hi all.

> On Mon, 22 Apr 2002 22:35:53 +1000
> Ian Cumming <ian@ids.org.au> wrote:
> > I've come across this problem too. I think i searched freshmeat.net, and
> > found a few scripts which did the trick - however I wasn't confident
> > enough to put them into place.
> >
> > Is www a priority? You could write a simple perl script which securely
> > launched passwd, and set the script to be the user's shell. This is what
> > I do on my server.

yes. www is a priority (but hmmmmmm....
users does not have shells.
In this fact are any other solutions ?

> > ps: if anyone *does* have a good cgi for changing passwords, please send
> > it to me :)

me too !!! :)

> Have a look at cgipasswd on freshmeat.net
> You need a suid cgi script, it's important to filter the form inputs
> against a list of valid characters.

It is working on suid :( Is it secure ? Probably not.
Maybe if I will have LIDS for Linux it will solve it. But which rules I
must set ?


Regards,
Marcin Bednarz.


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: passwd by WWW
  - From: Alain Tesio <alain@onesite.org>

Prev by Date: qpopper: new upstream version 4.04 fixes DoS
Next by Date: Lost root password!!
Previous by thread: Re: passwd by WWW
Next by thread: Apache htaccess
Index(es):
- Date
- Thread