Security of script passwords


Author
Message
lakeside
lakeside
Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)
Group: Forum Members
Posts: 34, Visits: 121
I have noticed that passwords can be entered into web scripts for both FTP data writes and for the /encrypt attribute. However, it appears the script can be accessed and downloaded anonymously by anyone familiar with the script name and the URL pattern used by Millisecond. Is this correct? If so, what extra security does the use of passwords provide?

Dave
Dave
Supreme Being (1M reputation)Supreme Being (1M reputation)Supreme Being (1M reputation)Supreme Being (1M reputation)Supreme Being (1M reputation)Supreme Being (1M reputation)Supreme Being (1M reputation)Supreme Being (1M reputation)Supreme Being (1M reputation)
Group: Administrators
Posts: 13K, Visits: 104K
When hosting scripts and data on millisecond.com, there would only be extra security if you also encrypt the script itself. A person would still be able to download the script anonymously as you describe, but would not be able to read its contents.

Ultimately, though, the script has to be decrypted at some point and be available in plain text in order to run. I.e., a motivated attacker would be able to "participate" in the experiment and dump the decrypted contents on her/his system to obtain any (FTP etc.)  passwords contained in the script.

Encrypting data files can be useful if you want to transmit them somewhere else, but there's no transport-layer encryption available to you (FTP, plain HTTP).

lakeside
lakeside
Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)Guru (7.3K reputation)
Group: Forum Members
Posts: 34, Visits: 121
Thanks. I am not a security expert but, for the record, it occurs to me the FTP account could be setup with write-only (i.e., no read or execute) permissions which should mitigate the risk of comprised user/password information.

GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Explore
Messages
Mentions
Search