[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
[mv] Userdb password security/ Security ?
****** message to minivend-users from "Gideon van Gelder" <gideon@swingmaster.nl> ******
Hi all,
Now I am by no means a security expert.
What I did think of the other day, is that anyone can
very easily loop through all the userdb-passwords with this url:
mystore.com/cgi-bin/mycat/rf=1/ra=yes/fi=userdb
Since almost anyone uses the [item-code] reference somewhere
on their results-page, the password is bound to show up somewhere.
For your information, I already was successfull at about all
of the few MV-stores I tried this trick with.
Now what I think is you can do two things:
1. change the name of your userdb to something else that can't be guessed
at.
2. Use encryption; however I was told that perl-encryption is about
the worst encryption there is, so that could still mean a lot of
fun for a hacker, right ?
What are your opinions ? Is this needless worrying (i don't think so).
Is there anyway to make the userdb not accessible from the url, or just
make it safer ?
-Gideon
P.s. What is the current status on the export-restriction problem for
128-bit browsers from the US ?(stupid NSA suckers...)
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list