Re: CGI security on a shared web server

From: Glynn Clements (glynn.clements@virgin.net)
Date: 05/28/02

• Previous message: Lee E. Brotzman: "Re: CGI security on a shared web server (fwd)"
• In reply to: Steffen Dettmer: "Re: CGI security on a shared web server"
• Next in thread: Steffen Dettmer: "Re: CGI security on a shared web server"
• Next in thread: Kurt Seifried: "Re: CGI security on a shared web server"
• Next in thread: Antonomasia: "Re: CGI security on a shared web server"
• Reply: Steffen Dettmer: "Re: CGI security on a shared web server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Glynn Clements <glynn.clements@virgin.net>
Date: Tue, 28 May 2002 03:51:05 +0100
To: Steffen Dettmer <steffen@dett.de>

Steffen Dettmer wrote:

> > One possible solution, assuming you need to write the data but not read it
> > until later is to encrypt it, generate a public/private keypair using
> > pgp/gnupg, load the public key onto the server with your app, have it write
> > the files after encrypting the data. Thus you can retrieve the data (ftp,
> > www, whatever) and then decrypt it at your leisure and use it.
>
> I don't think that this makes things secure. If the web server
> runs as nobody, the CGI script must be executable for nobody. The
> secret key must be reable for nobody.

No; only the *public* key needs to reside on the server, and that
doesn't need to be secure. That's the whole point of "public key"
cryptosystems.

OTOH, there may well be other ways in which the security can be
compromised. The easiest way would be to modify the CGI script,
although that would be readily detectable.

-- 
Glynn Clements <glynn.clements@virgin.net>

---

• Previous message: Lee E. Brotzman: "Re: CGI security on a shared web server (fwd)"
• In reply to: Steffen Dettmer: "Re: CGI security on a shared web server"
• Next in thread: Steffen Dettmer: "Re: CGI security on a shared web server"
• Next in thread: Kurt Seifried: "Re: CGI security on a shared web server"
• Next in thread: Antonomasia: "Re: CGI security on a shared web server"
• Reply: Steffen Dettmer: "Re: CGI security on a shared web server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CryptImportKey ... Whan you "encrypt" your server-generated session key your parameter is ... AT_KEYEXCHANGE - but CAPI will use the PUBLIC key portion of that key pair ... The client and server communicating over TCP/IP. ... (microsoft.public.platformsdk.security) Re: Encryption keys ... you need at least the server's public key to get ... This could also be the server cert, ... Now encrypt your fields with the servers public key. ... It will then verify the machine hash matches what you dynamically ... (microsoft.public.dotnet.general) Re: CryptImportKey ... Whan you "encrypt" your server-generated session key your parameter is ... AT_KEYEXCHANGE - but CAPI will use the PUBLIC key portion of that key pair ... The client and server communicating over TCP/IP. ... (microsoft.public.platformsdk.security) Re: CryptImportKey ... Whan you "encrypt" your server-generated session key your parameter is AT_KEYEXCHANGE - but CAPI will use the PUBLIC key portion of that key pair for the key encryption. ... IF you insist the server to generate a new session key than encrypt that key with the client's SESSION key. ... (microsoft.public.platformsdk.security) Re: TIPS FOR THE NEWCOMER ... As long as the private key is readable by the ssh client when it comes ... When the ssh client connects to the server, ... private key which matches the public key. ... (SSH)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > secprog  > 2002-05