Security Basics mailing list archives
Re: script credentials
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Tue, 2 Mar 2010 20:03:26 +0100
On 2010-03-02 Wimpie du Plessis wrote:
On 02 Mar 2010, at 12:37 AM, Ansgar Wiechers wrote:On 2010-03-01 jason.gerfen () gmail com wrote:If your working with perl and are worried about exposing your password through a config file (which you could limit access through with the proper permissions), or as noted above in regards to exposing the username, password information through arguments then you might want to utilize an encrypted version of the password within the config file. Take a look at the mcrypt perl module as it would handle it easily for you: http://search.cpan.org/dist/MCrypt/MCrypt.pmWhat exactly is that supposed to solve? The OP's script would need to decrypt the credentials in order to authenticate against the database. Meaning that he'd need *another* password/key to do that. Which would have to be stored somewhere as well.Have a look at the following product. we are busy implementing it and second phase will be to get rid of clear text password stored in scripts etc. http://www.e-dmzsecurity.com/tpam-apm.html
How exactly is that supposed to get you around the bootstrapping problem? If stored credentials are encrypted you *must* decrypt them somehow, so that a script can pass them to the requesting application. Meaning that you have to somehow supply *another* password or key for the decryption process. Which has to be stored somewhere if that's supposed to happen automatically. Wrapping the problem in additional layers of code (which most likely will contain vulnerabilities of their own) is not going to magically make the issue go away. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Re: script credentials jason . gerfen (Mar 01)
- Re: script credentials Ansgar Wiechers (Mar 02)
- Re: script credentials Wimpie du Plessis (Mar 04)
- Re: script credentials Ansgar Wiechers (Mar 04)
- Re: script credentials Wimpie du Plessis (Mar 04)
- Re: Re: script credentials Jeffrey Walton (Mar 02)
- Re: script credentials Ansgar Wiechers (Mar 02)