[Tutor] CGI problem.

Lloyd Kvam pythonTutor at venix.com
Sat Nov 6 20:20:52 CET 2004


My guess is that you have a trailing \n on the password that you read
from the file.  I believe that the md5 digest is 16 characters, but you
can double check that easily.  If that's true then
	filepass = filepass[:16]
would extract the digest.

This avoids any kind of issues with line marks between different
operating systems.

One other point.  It is best to have a secret seed value that is used in
conjunction with the user password when computing the digest.  This
makes it harder to mount a dictionary attack against a copy of the
password file.  You are still vulnerable to on-line dictionary attacks
since your script "knows" the seed.  In actual practice someone who
obtained the password file would often have also been able to obtain
your secret seed value.


On Sat, 2004-11-06 at 14:01, Mark Kels wrote:
> On Sat, 6 Nov 2004 09:48:35 -0800 (PST), Chad Crabtree
> <flaxeater at yahoo.com> wrote:
> > Mark Kels wrote:
> > 
> > 
> > 
> > >Thank you!
> > >
> > >But know I have another problem:
> > >
> > >I tried to add md5 hashing to the script, but for some reason it
> > >
> > >always says the the password is wrong...
> > >
> > >Hare is the program:
> > >
> > >
> > >
> > >import cgi
> > >
> > >import cgitb; cgitb.enable()
> > >
> > >import md5
> > >
> > >form = cgi.FieldStorage()
> > >
> > >x=open("pass.txt","r")
> > >
> > >form.getfirst("pass")
> > >
> > >print "Content-type: text/html\n\n"
> > >
> > >def printhtml():
> > >
> > >    print """
> > >
> > >       <html><body>
> > >
> > >       <form><input name="pass" type="text"></form>
> > >
> > >       """
> > >
> > >def checkpass():
> > >
> > >    filepass=x.readline() # The password in the file is already
> > digested.
> > >
> > >    userpass=md5.new(form.getfirst("pass")).digest()
> > >
> > >    if filepass==userpass:
> > >
> > >        print "OK, come in."
> > >
> > >    else:
> > >
> > >        print "Wrong password, try again!"
> > >
> > >
> > >
> > >
> > >
> > >printhtml()
> > >
> > >if form.has_key("pass"):
> > >
> > >    checkpass()
> > >
> > >x.close()
> > >
> > Well I would instead of checking the password I would print the
> > hashed
> > value and the unhashed value to the page so that you can inspect it
> > with
> > the password file.
> > 
> > Generally when I'm trying to figure out problems like this I print
> > everything out so that it can be inspected.  This helps a lot with
> > debugging.
> > 
> > __________________________________
> > 
> > 
> > Do you Yahoo!?
> > Check out the new Yahoo! Front Page.
> > www.yahoo.com
> > 
> > 
> 
> Actualy I did that, but didnt think you will need it...
> Here is the file content:  \xc8\xff\xe9\xa5\x87\xb1&\xf1R\xed=\x89\xa1F\xb4E
> And here is the user password after digestion (in UTF-8 encoding):
> ��饇�&�R�=��F�E
> 
> Thanks!
> _______________________________________________
> Tutor maillist  -  Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
-- 
Lloyd Kvam
Venix Corp



More information about the Tutor mailing list