Page 1 of 1

How secure is this login script?

Posted: Mon Sep 15, 2003 11:08 am
by JayBird
I have built an intranet for a VERY large company, and they are querying how secure the site is because it contains some sensitive information.

I didn't write the login script myself, i am using phpSecurePages which can be found at http://www.phpsecurepages.com/.

Just wondering if anyone has had any experience with this script and know how secure or not secure it is.

What possibles holes are there?

Thanks

Mark

Posted: Mon Sep 15, 2003 3:05 pm
by SantaGhost
as far as php is concerned user clients cant access the php files source or database unless they have access to the filesystem (ftp) if the pc where the site is running can be exploited there is a possibility of passwords etc. retrieval, but this is "allways" a possibility.

secondly there are very good encryption systems for php so its at least pretty hard to crack a good secure machine. Normally its impossible. Be shure to run apache, newest version of php and linux/unix with newest updates to minimize security holes, but php is secure as long as you keep your database uname/pw private.

Posted: Mon Sep 15, 2003 3:53 pm
by m3rajk
umm

is the intranet local to one building?

if not how do they go between buildings? vpn?

if the answer to the first is yes or the second is vpn, it's as secure as the vpn as long as you don't let the world see it

Posted: Mon Sep 15, 2003 5:55 pm
by JAM
m3rajk wrote:umm

is the intranet local to one building?

if not how do they go between buildings? vpn?

if the answer to the first is yes or the second is vpn, it's as secure as the vpn as long as you don't let the world see it
If I'm not mistaken security and sensitive information doesn't really have to do with "the outside". An intranet is on a very large company has no outside access whatsoever, so I guess the ideas of security is that if somone on the inside might be able to view information they shouldn't.

Medical records, what different employees gets payed, CEO's personal notes... Not something John Doe in the warehouse should be able to read on his break...

Sorry, Bech, but havn't used it, so I dont dare speak of it.