Akopia Akopia Services

[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

[mv] Userdb password security/ Security ?



******    message to minivend-users from "Gideon van Gelder" <gideon@swingmaster.nl>     ******

Hi all,

Now I am by no means a security expert.
What I did think of the other day, is that anyone can
very easily loop through all the userdb-passwords with this url:

mystore.com/cgi-bin/mycat/rf=1/ra=yes/fi=userdb

Since almost anyone uses the [item-code] reference somewhere
on their results-page, the password is bound to show up somewhere.
For your information, I already was successfull at about all
of the few MV-stores I tried this trick with.

Now what I think is you can do two things:

1. change the name of your userdb to something else that can't be guessed
at.

2. Use encryption; however I was told that perl-encryption is about
the worst encryption there is, so that could still mean a lot of
fun for a hacker, right ?

What are your opinions ? Is this needless worrying (i don't think so).
Is there anyway to make the userdb not accessible from the url, or just
make it safer ?

-Gideon

P.s.  What is the current status on the export-restriction problem for
128-bit browsers from the US ?(stupid NSA suckers...)

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list


Search for: Match: Format: Sort by: