#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2002
    Location
    Detroit, MI
    Posts
    14
    Rep Power
    0

    Designing a I.P. tracker using Perl & Javascript, but not using SSI


    Hello all,

    I've designed a program in Perl that keeps track of user's IP/browser/version#/date-time... and I was wondering what is the best and safest method of transmitting the data.

    Once again, no SSI installed, so I can't just call #exec

    Right now, I'm simply using Javascript to create a image with the SRC="blah.blah.com/cgi-bin/script.pl?yada+yada+yada" with all
    the variables and I have it working fine. However, I have to either make the program return an image or use the javascript to remove the image after the page loads.

    It works as a I.P tracker and it's simple, but I was wondering how safe it is? Does anyone out there know the preferred method of calling a cgi program (including passing variables) w/o a form button and w/o SSI?

    Thanks in advance,
    -Carl
  2. #2
  3. 11
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jul 2001
    Location
    Lynn, MA
    Posts
    4,635
    Rep Power
    83
    So you've written a web/email bug. Great.

    Typically, folks use a single transparent pixel as the image.
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2002
    Location
    Detroit, MI
    Posts
    14
    Rep Power
    0
    Cool. I didn't know thats what it was called. I will try to make it return a single pixel as you've described. I guess I was more concerned that someone could somehow send malicious info through the CGI to the server.

    Thank you much for your help.
  6. #4
  7. 11
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jul 2001
    Location
    Lynn, MA
    Posts
    4,635
    Rep Power
    83
    BTW, web bugs are severely abused by spammers- they can use them to check as to whether or not you've opened an email message by sending an HTML message. I hate them, generally.

    Just because you're using an image, doesn't mean your CGI is safe. Folks can still pass whatever parameters they want to your script. Basically, if any user-supplied data gets anywhere near a shell command or is used to create a filename, you HAVE to "untaint" it to make sure it's what you expect it to be. You should be using taint mode (put a -T in your shebang line) AT ALL TIMES for any CGI scripts. It's just good practice.

    Do a google search for "perl CGI taint" and read the course at the link below. It's one of the few clueful CGI tutorials out there.

    http://www.easystreet.com/~ovid/cgi_course/
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2002
    Location
    Detroit, MI
    Posts
    14
    Rep Power
    0

    Thanks... that was my concern exactly.


    Thanks a bunch, that was exactly my concern. I will check out the course you've provided, and read up more on security issues.

    thanks again!
  10. #6
  11. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2002
    Location
    Detroit, MI
    Posts
    14
    Rep Power
    0

    Ok.. I'm on the right track now, BUT


    Ok, so I spent the day reading all about taint, untainting data, and the use of strict... pattern matching... etc. and it all makes sense and I plan on implementing it all.

    However, now it seems that I can't figure out why my script is not working. So I tried a simple script:

    #!D:/perl/bin/perl.exe -wT
    print "Content-type: text/html\n\n";
    When I add the "T" to have it turn on taint checking, it gives me a server error. Also, if I happen to

    use strict;
    it also does not run. I tried to use...

    use CGI::Carp('fatalsToBrowser');
    but this seems to be a different problem....the error message is just "Server Error"... not even the typical 500 error I've seen before.

    Any ideas?
  12. #7
  13. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2002
    Location
    Detroit, MI
    Posts
    14
    Rep Power
    0

    Nm, I've found it I think...


    I stumbled upon this...

    How do I activate taint mode on non-UNIX servers?

    CGI Scripts running on non-UNIX Servers typically do not recognize the magical #!/usr/local/bin/perl first line of the script. Instead, the web server knows what language to execute the server with because of an operating system or web server configuration variable.

    For example, for IIS on NT, you should change the association of Perl scripts to run with taint mode on. Unfortunately, this changes the association for ALL your Perl scripts which you may not want.

    A more reasonable way is to get around the problem by creating a second extension under NT such as tcgi or tgi and associate it with taint mode Perl. Then, rename the scripts with the new extension to activate taint mode on them.

    You could also try using another web server that understand the first line of scripts. For example, SAMBAR v4.1, a freeware NT web server, can be configured to run the script based on the first line of the cgi script. In this case, you would change the first line to read something like the following:

    #!c:\perl\bin\perl.exe -T



    Now I guess I'll have to talk to my system admin, who doesn't know anything about Perl.

    Still don't understand why
    use strict;
    would cause problems, but oh well.

    Thanks.
  14. #8
  15. 11
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jul 2001
    Location
    Lynn, MA
    Posts
    4,635
    Rep Power
    83
    When you "use strict;" it requires you to declare variables as globalt (bad) or local to your scope (good, with "my") before you use them.

    "But wait!" you say. "I thought one of the cool things about perl was that you DIDN'T have to do this!".

    Yes and no. Declaring variables is a god send for debugging- For instance, can you tell if
    Code:
    $eleet="foo";
    is different than
    Code:
    $e1eet="foo";
    Maybe. Strict can, and that's it's major benefit- it catches all misspelled variable names, and makes you keep better track of WHAT you're using and how.

    Read up on strict. I can't really help you a whole lot with windows, (except that perl code will mostly run unchanged on pretty much any platform) simply because I avoid using it as a server platform when I possibly can.
  16. #9
  17. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2002
    Location
    Detroit, MI
    Posts
    14
    Rep Power
    0
    Yeah, I see that strict is really useful. Thanks again for all the help & pointers.

    Believe me, windows is NOT my choice as a platform. I'm kinda stuck with it in this situation, however.

    Thanks again!

IMN logo majestic logo threadwatch logo seochat tools logo