byron wise wrote:
> Recently my company decided to put their login on the main page. This main
> page isn't secure. However the action attribute of the form tag does point
> to a secure cgi script that handles the username/password. What security
> risks if any are there with having this form on a non secure page?
I would assume, for starts, that the script name is revealed? Depending on your
platform, knowing the name, it may be
possible to abuse that. (Do you have local users with shell access on the box?)
Also, it can be used to determine
valid userids on the system. If you monitor your SMPTD logs, I'm sure you've noticed
people "guessing" userids on your
box to make a list of valid users. Webform logins are another way to do the same
thing.
Those would be my starting points.
_______________________________________________
Perl-Unix-Users mailing list. To unsubscribe go to
http://listserv.ActiveState.com/mailman/subscribe/perl-unix-users
