April 5th, 2002, 09:48 AM
I've designed a program in Perl that keeps track of user's IP/browser/version#/date-time... and I was wondering what is the best and safest method of transmitting the data.
Once again, no SSI installed, so I can't just call #exec
It works as a I.P tracker and it's simple, but I was wondering how safe it is? Does anyone out there know the preferred method of calling a cgi program (including passing variables) w/o a form button and w/o SSI?
Thanks in advance,
April 5th, 2002, 10:13 AM
So you've written a web/email bug. Great.
Typically, folks use a single transparent pixel as the image.
April 5th, 2002, 10:26 AM
Cool. I didn't know thats what it was called. I will try to make it return a single pixel as you've described. I guess I was more concerned that someone could somehow send malicious info through the CGI to the server.
Thank you much for your help.
April 5th, 2002, 10:38 AM
BTW, web bugs are severely abused by spammers- they can use them to check as to whether or not you've opened an email message by sending an HTML message. I hate them, generally.
Just because you're using an image, doesn't mean your CGI is safe. Folks can still pass whatever parameters they want to your script. Basically, if any user-supplied data gets anywhere near a shell command or is used to create a filename, you HAVE to "untaint" it to make sure it's what you expect it to be. You should be using taint mode (put a -T in your shebang line) AT ALL TIMES for any CGI scripts. It's just good practice.
Do a google search for "perl CGI taint" and read the course at the link below. It's one of the few clueful CGI tutorials out there.
April 5th, 2002, 10:47 AM
Thanks... that was my concern exactly.
Thanks a bunch, that was exactly my concern. I will check out the course you've provided, and read up more on security issues.
April 5th, 2002, 02:10 PM
Ok.. I'm on the right track now, BUT
Ok, so I spent the day reading all about taint, untainting data, and the use of strict... pattern matching... etc. and it all makes sense and I plan on implementing it all.
However, now it seems that I can't figure out why my script is not working. So I tried a simple script:
When I add the "T" to have it turn on taint checking, it gives me a server error. Also, if I happen to
it also does not run. I tried to use...
but this seems to be a different problem....the error message is just "Server Error"... not even the typical 500 error I've seen before.
April 5th, 2002, 02:40 PM
Nm, I've found it I think...
I stumbled upon this...
How do I activate taint mode on non-UNIX servers?
CGI Scripts running on non-UNIX Servers typically do not recognize the magical #!/usr/local/bin/perl first line of the script. Instead, the web server knows what language to execute the server with because of an operating system or web server configuration variable.
For example, for IIS on NT, you should change the association of Perl scripts to run with taint mode on. Unfortunately, this changes the association for ALL your Perl scripts which you may not want.
A more reasonable way is to get around the problem by creating a second extension under NT such as tcgi or tgi and associate it with taint mode Perl. Then, rename the scripts with the new extension to activate taint mode on them.
You could also try using another web server that understand the first line of scripts. For example, SAMBAR v4.1, a freeware NT web server, can be configured to run the script based on the first line of the cgi script. In this case, you would change the first line to read something like the following:
Now I guess I'll have to talk to my system admin, who doesn't know anything about Perl.
Still don't understand why
would cause problems, but oh well.
April 5th, 2002, 02:55 PM
When you "use strict;" it requires you to declare variables as globalt (bad) or local to your scope (good, with "my") before you use them.
"But wait!" you say. "I thought one of the cool things about perl was that you DIDN'T have to do this!".
Yes and no. Declaring variables is a god send for debugging- For instance, can you tell if
is different than
Maybe. Strict can, and that's it's major benefit- it catches all misspelled variable names, and makes you keep better track of WHAT you're using and how.
Read up on strict. I can't really help you a whole lot with windows, (except that perl code will mostly run unchanged on pretty much any platform) simply because I avoid using it as a server platform when I possibly can.
April 5th, 2002, 03:02 PM
Yeah, I see that strict is really useful. Thanks again for all the help & pointers.
Believe me, windows is NOT my choice as a platform. I'm kinda stuck with it in this situation, however.