Re: [GENERAL] cgi with postgres

* Jeff MacDonald <jeff@hub.org> [000114 13:38] wrote:
> hey folks,
>
> this is a security issue i'd like to get some info
> on, i'm sure it's more with cgi than postgres, but
> heck.
>
> issue: how to secure cgi's that access postgres
>
> problem: passwords for postgres database are stored
>       in plain text in scripts. (lets assume, perl,
>       not a compiled language)
>
> points:
>     make cgi dir 711
>     big deal, they can get the name of the file
>     from the web, and copy it.

how about sourcing a conf file that's in a 700 dir?

>
>     set an obscure cgi script alias in apache
>     big deal, they can read the cgi conf file.
>
>     this is assuming they already have an account
>     on the machine, something that cannot be ruled
>     out.
>
> question in short: how to make perl accessing databases
>     more secure, so any jack can't modify a database.
>
> thanks in advance.
>
> Jeff MacDonald
> jeff@hub.org
>

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]