Accessing a perl script in a protected area

Forum Moderators: coopster & phranque

Message Too Old, No Replies

Accessing a perl script in a protected area

lindajames

12:52 pm on May 10, 2003 (gmt 0)

Hi, I have the code below, As you can probably see, im trying to execute commands on a script that is protected, so the way that ive done it is to use and image tag, and called the script by storing the username and password in the actual url, as you know this is 100% not safe, i need a script and i am willing to pay anyone who can do it for me.

The script needs to do exactly what im trying to do below, but the URL should not be visible to the users as soon as the request is made to the script it should make the request like the image tag but the url should be not viewable.

Security is the main issue here.

If anyone can make such a script, please give me a responable quote.

Or any suggestions would be very much appreciated

Cheers
Linda

#!/usr/bin/perl

use CGI;

my $query = new CGI;
my $email = $query->param('email');

print "Content-type: text/html\n\n";
print "<img src=\"http://username:password@myprotectedomain.com/process.cgi?$email\" height=1 width=1>";

navink

12:59 pm on May 10, 2003 (gmt 0)

Would you please clarify that what do you want to do exactly. I did not get your point. Tell me through any example of your pages

Navin

lindajames

1:06 pm on May 10, 2003 (gmt 0)

Ok, basically, my host provides me with a control panel to add unlimited pop3 mailboxes. So basically, i want to setup a email service website like hotmail but POP3 accounts. To add a pop3 account in the controlpanel all i do is access controlpanel.myhost.com/action.exe?action=addpop&mailbox=linda&password=pass

this command adds a mailbox called linda with the password of pass. I can easily get the value of password and mailbox using simple form value request methos.

However, the control panel domain is password protected using .htaccess, so for me to execute that command i have to use [user:password@control.myhost.com...] but like i said in my previous post, this is not secure, i need something that will hide all this from the users.

I hope this explains it

cheers
linda

navink

1:12 pm on May 10, 2003 (gmt 0)

You can use password encrypt programs & scripts for encrypting password so that it would be secure. Try md5 string hash program which yaho uses too. Search in google.com for it. I hope you will get some new ideas.

Navin

lindajames

1:27 pm on May 10, 2003 (gmt 0)

Thanx Navin,

I will lookup on it, one quick question though, by encrypting the username and password, i assume i will end up accessing the url like this encryptedusername:encryptedpassword@controlpanel.myhost.com is that correct, if so, how secure is the encrypted username and password, can malicous users not directly enter it?

thanx again

cheers
linda

ShawnR

2:44 pm on May 11, 2003 (gmt 0)

A few suggestions, depending on what you are trying to achieve, and the level of security you require:

Have your page call a cgi script. This script would in turn call your host's script (and your username/password would be hidden in this cgi script). Set up the access so that visitors can only run the cgi script (can't download the source for it), and so that the cgi script can only be run when called from your webpage, not from someone elses.
Set up environment variables for your password/username that are available to your script; no one else.
Look into ssl

Shawn

lindajames

10:34 pm on May 12, 2003 (gmt 0)

Thanx for the suggestions Shawn, ive actually got the code now. I paid a member of this forum, who i must say did a great job of the code, works extremly well.

The code initiates a HTTP request to my protected area with the right credentials and queries the protected url by the server side by Perl's means.