[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SSL on Cobalt Qube3

The file /usr/sausalito/ui/web/login.php needs to be edited. I logged in as root using ssh, then used vi to edit it.

Look for the line,
$secure = "";
and change it to
$secure = "CHECKED";
All this really does is make the Secure Connect checkbox have a check mark in it.\

Then look for the following code,
function _form_onSubmit(e) {
this.timeStamp.value = (new Date()).getTime();
if(this.secure.checked)
this.action = ''+location.hostname+':81/loginHandler.php';
else
this.action = ''+location.hostname+':80/loginHandler.php';
return true
}
and change it to,
function _form_onSubmit(e) {
this.timeStamp.value = (new Date()).getTime();
if(this.secure.checked)
this.action = ''+location.hostname+':81/loginHandler.php';
else
this.action = ''+location.hostname+':81/loginHandler.php';
return true
}
Note: the only change is to the command after the else statement, change http to https and 80 to 81.

I haven't tried entering http://'+location.hostname+':80/loginHandler.php directly into the browser to see if that would bypass SSL, but I don't think it will as LoginHandler.php uses input from login.php.

I'm still working on making login.php only available through ssl, but haven't had time to get that far yet. I'll post that once I've got it - hope this helps and sorry if their was a misunderstanding re. this. My goal is to make this server only work with ssl and not with generic http.

On Sun, 2003-05-25 at 05:44, H.P. Noordam wrote: 
> 
> Also, in case anyone is interested, I was able to modify the admin GUI 
> so that it always requires SSL. It just required two changes to the 
> login.php script.
> 

interested !

Bob.




_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security




-- 

Hugh Taylor <hrtlist@xxxxxxxxxxxx>