[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: [mv] Userdb password security/ Security ?

To: minivend-users@minivend.com
Subject: Re: [mv] Userdb password security/ Security ?
From: jojo@buchonline.net
Date: Mon, 24 Jan 2000 10:12:29 +0100 (CET)
In-Reply-To: <3889A4E0.182A6624@buchonline.net>
Reply-To: minivend-users@minivend.com
Sender: owner-minivend-users@minivend.com

******    message to minivend-users from jojo@buchonline.net     ******

On 22 Jan, To: mvendweb wrote:
> 
> 
> -------- Original Message --------
> Subject: [mv] Userdb password security/ Security ?
> Date: Sat, 22 Jan 2000 00:00:58 +0100
> From: "Gideon van Gelder" <gideon@swingmaster.nl>
> Reply-To: minivend-users@minivend.com
> To: <minivend-users@minivend.com>
> References: <002101bf644f$cf8d4840$0c01a8c0@steven>
> <0001211708210P.23987@arcane.specialty-books.com>
> 
> ******    message to minivend-users from "Gideon van Gelder"
> <gideon@swingmaster.nl>     ******
> 
> Hi all,
> 
> Now I am by no means a security expert.
> What I did think of the other day, is that anyone can
> very easily loop through all the userdb-passwords with this url:
> 
> mystore.com/cgi-bin/mycat/rf=1/ra=yes/fi=userdb
> 
> Since almost anyone uses the [item-code] reference somewhere
> on their results-page, the password is bound to show up somewhere.
> For your information, I already was successfull at about all
> of the few MV-stores I tried this trick with.
> 
> Now what I think is you can do two things:
> 
> 1. change the name of your userdb to something else that can't be
> guessed
> at.
> 
> 2. Use encryption; however I was told that perl-encryption is about
> the worst encryption there is, so that could still mean a lot of
> fun for a hacker, right ?
> 
> What are your opinions ? Is this needless worrying (i don't think so).
> Is there anyway to make the userdb not accessible from the url, or just
> make it safer ?
> 
> -Gideon
> 
> P.s.  What is the current status on the export-restriction problem for
> 128-bit browsers from the US ?(stupid NSA suckers...)

Hi Gideon,

i have test it and i can get the informations from userdb. I believe, i
can patch some minivend module to prevent this (if i have time). But i
would prefer, Mike Heins will add a feature like

Database    userdb   userdb.asc     TAB	secure
                                        ^^^^^^^

or other solutions to tell MV, to make the userdb file secure.
I will not patch any minvend file.

Regards,

	Joachim

BTW: I use encryption and watch my webserverlogs!

-- 
Hans-Joachim Leidinger
buch online                 jojo@buchonline.net
Munscheidstr. 14            FAX: +49 209 1971449
45886 Gelsenkirchen         FAX: 0209 1671449

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

Follow-Ups:
- Re: [mv] Userdb password security/ Security ?
  - From: "B.J. Bezemer" <bas.bezemer@wxs.nl>

Prev by Date: Re: [mv] Newbie problem starting MiniVend
Next by Date: [mv] Special use
Prev by thread: Re: [mv] Newbie problem starting MiniVend
Next by thread: Re: [mv] Userdb password security/ Security ?
Index(es):
- Date
- Thread