Need help in .cgi

[Walker1]

There is a website (.cgi file) which requires a number to login.

Once we login to the site, the contents are displayed.

Can we create a new URL that automatically logs in that site so that we need not log in with the number every time we visit the website.


In the Source code of the .cgi file, this is found

<FORM ACTION="Verify.cfm?requesttimeout=500" METHOD="post">
<SPAN CLASS="mem">Number</SPAN><BR>
<INPUT TYPE="password" NAME="No" REQUIRED="Yes" SIZE="16" MAXLENGTH="25" TABINDEX="1"><BR>
<INPUT TYPE="submit" VALUE=" Login " tabindex="2">
</FORM>


Thanks in advance.

[jwzumwalt]

If you are asking as a user, the programmer probably has the login set a variable. This is all the "junk" that appears in the address line of your browser after & sign. Right now my browser is showing

*URL*.com/webmaster_help_desk/newreply.php?do=newreply&noquote=1&p=33567

In this example, the variables are
do=newreply
noquote=1
p=33567

The programmer has the option of telling the Apache html server to hide some or all of the values. So, there may be a hidden value such as "login=verified" that must be set or the cgi program will not process the request.

So the answer is: the user may be able to access the directory if the programmer did not deliberately hide variables.

The programmer may deliberately keep a user from being able. If thats the case, the user will not be able to thwart the security.

There are other ways of concealing authorization such as using cookies, but the use of hidden variables as a "key" that the user can not access is the most common.

On my own site, I use a combination of techniques. I have certain directories that only I use and they are hidden from a directory listing. But, if you knew the directory name, you would go right in. Other directories require a validation process and need a hidden key variable to be set when the browser attempts to enter the directory.

It is a common practice to have a directory named ".private" be accessible but not show in directory listings. Directories starting with a dot are not normally shown.

I hope this helps. - JZ

[jthayne]

Yes you can. I have done something similar using PHP and cURL for a site that I frequently go to.

What you will need to do is, using cURL, submit the password using POST to the URL: "Verify.cfm?requesttimeout=500". The response that comes back from the server will be the web page you are wanting to view.

As jwzumwalt said, though, the programmer can block attempts to login via a remote locations or even a different script.

One word of warning: If you are going to do this, and there is potentionally any sensitive information on the other site, make sure the page is very difficult to get ot if you do not know it is there.

If you need more assistance, let us know what questions you have.

Good luck,
Joseph