Security issues usin Perl

I'm currently working on a script wich is presenting search-results from a SQL-database, and it works great. Anyone got a tip for me were to find more about security issues?
I'd like to know more about known ways to abuse cgi-scripts, known ways to abuse perl-scripts in general and ways to prevent this.
My scripts will run on a fairly secured Apache-server, but I'm not the hostmaster so there's nothing much for me to do there, but I'd like to make my scripts secure if there is a way.

first step for preventing of your script from abusing is,
upload your script only in CGI-BIN directory...


second step is ,filter the entries of the user...

third and final step is ,make sure that the script is only able to run from your server.


best way to find out this is check the HTTP_REFERER enviurment varible =your host address.

if you search for some article about security issues ,you may find out some important informations..

Thank you for helping me out

You don't happen to have a decent URL or a FAQ I could read more about security in? I find security somewhat tricky...

Hello there,

You may want to take a look at the following URL;
http://www.freeperlcode.com/info/Security/

There's a few good links there about CGI security. Best piece of info I got from that is, ALWAYS check user input. For example, if you have an HTML form with a hidden form field, it doesn't mean the value of that hidden field is going to stay the same when it gets submitted to the CGI script. Or if you have a select box, it doesn't mean the script is going to get one of the values of the select box.

Hope that helps,
Mike

Does this mean that if I have a form that uses the get-method, the code could be replaced?
I didn't think that was possible, since I define the variables in the script, like:
$query = CGI::new();
$name = $query->param('name');
I like using CGI.pm since it handles a lot of things for me very smothly, but I've never considered the security to be an issue, not with CGI.pm. Should I reconsider?

no need to reconsider using CGI.pm its a very good module although you should be wary of a few things:
check $name for the main security holes..
a backslash ` and the pipe character |
these two might allow people to execute system commands so if the cgi parameter contains these quit out or reset the page indicating that you shouldnt use these
(theres no reason why you would need them in forms anyway)
there are other things but i cant think of them off top of my head URL

[This message has been edited by KenByrne (edited April 04, 2000).]

Can I check for ` and | in $name with an
if ($name eq "`") { die "n" } elseif ($name eq "|") { die "n" }
in the script or how do I write it? I'm not sure I quite understand what someone might do with | or ` since I use the $name for calling different sub routines. Something like:
if ($name eq "year") { &year }
if ($name eq "author") { &author }
and if the script gets something else, it's supposed to display a page with an error message, or can someone fool the script anyway? (Getting confused here)


*learning about security right away would have been a geat idea*

Hi,

you can check wired characters in perl very easily.

use substitution operation or transaltion operator for removing a particular character from the input.

let us say ,user entered ` or | into the name field .you may remove that from the field using substitution operator.

$name=~ s/`/ /;
$name=~ s/|/ /;

see Regular Expressions topics in perl for getting some good information...

------------------
SR -
shiju.dreamcenter.net

[This message has been edited by Shiju Rajan (edited April 11, 2000).]

Thanks!
That didn't sound complicated at all

Do I have to do this everytime I use $name, or is it enought to do it once at the beginning of the script?

man perlsec (assuming you're using unix of some flavour)

and have a look at the FAQs on www.perl.com... you know it makes sense.