[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] turn off cc security - ? on enc. file storage
On Wed, 10 Nov 1999, Mr. Anthony R.J. Ball wrote:
>****** message to minivend-users from "Mr. Anthony R.J. Ball" <ant@maine.com> ******
>
>> Now, question: if you /were/ going to save order information in an
>> encrypted file on your server but outside the web space - any suggestions
>> for a place that is inaccessible by nouser so it could not be hacked?
>> FYI, we use Apache with Stronghold. One of the problems I have with
>> storing even tracking info is the fact that nouser could read it, so
>> there might be a user on our machine (or who gets access to our machine
>> via a poorly written CGI script) who could poke around and find that
>> file. Comments? Criticisms? Suggestions? Complete implementations with
>> your own experience? :-)
>
> Umm... you can always make a file that only gives write permissions
>as well... then nouser may be able to add to it or overwrite it, but not
>get the info back.
OK, let me clarify. If you were going to save order information in an
encrypted file on your server, --and-- you wanted to allow a catalog owner
to pick up the data via SSL and an external (or mv) cgi script, where
would you put it so that it won't be immediately viewable from other,
random cgi scripts running on the same server.
I know that sounds like an impossibility - but there are places Apache
can reach that are outside the web space. Think it's a good idea to put
encrypted files there? What I'm mostly thinking about is the type of
simple cgi script that lets a user "walk" around the web space and look
at the contents of any file readable by nouser. If we started saving
tracking info this way, we'd want to put it where it couldn't be easily
found by walking.
-- Loy
--
Loy Ellen Gross * Web Designer & Programmer * Xcalibur Internet
Voice: 716-344-1114 * design@iinc.com * http://www.iinc.com
