#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    7
    Rep Power
    0
    I'm currently working on a script wich is presenting search-results from a SQL-database, and it works great. Anyone got a tip for me were to find more about security issues?
    I'd like to know more about known ways to abuse cgi-scripts, known ways to abuse perl-scripts in general and ways to prevent this.
    My scripts will run on a fairly secured Apache-server, but I'm not the hostmaster so there's nothing much for me to do there, but I'd like to make my scripts secure if there is a way.
  2. #2
  3. .Net Developer
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2000
    Location
    London
    Posts
    987
    Rep Power
    15
    first step for preventing of your script from abusing is,
    upload your script only in CGI-BIN directory...


    second step is ,filter the entries of the user...

    third and final step is ,make sure that the script is only able to run from your server.


    best way to find out this is check the HTTP_REFERER enviurment varible =your host address.

    if you search for some article about security issues ,you may find out some important informations..





  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    7
    Rep Power
    0
    Thank you for helping me out

    You don't happen to have a decent URL or a FAQ I could read more about security in? I find security somewhat tricky...

  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 1999
    Posts
    2
    Rep Power
    0

    Hello there,

    You may want to take a look at the following URL;
    http://www.freeperlcode.com/info/Security/

    There's a few good links there about CGI security. Best piece of info I got from that is, ALWAYS check user input. For example, if you have an HTML form with a hidden form field, it doesn't mean the value of that hidden field is going to stay the same when it gets submitted to the CGI script. Or if you have a select box, it doesn't mean the script is going to get one of the values of the select box.

    Hope that helps,
    Mike
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    7
    Rep Power
    0
    Does this mean that if I have a form that uses the get-method, the code could be replaced?
    I didn't think that was possible, since I define the variables in the script, like:
    $query = CGI::new();
    $name = $query->param('name');
    I like using CGI.pm since it handles a lot of things for me very smothly, but I've never considered the security to be an issue, not with CGI.pm. Should I reconsider?
  10. #6
  11. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    1
    Rep Power
    0
    no need to reconsider using CGI.pm its a very good module although you should be wary of a few things:
    check $name for the main security holes..
    a backslash ` and the pipe character |
    these two might allow people to execute system commands so if the cgi parameter contains these quit out or reset the page indicating that you shouldnt use these
    (theres no reason why you would need them in forms anyway)
    there are other things but i cant think of them off top of my head

    [This message has been edited by KenByrne (edited April 04, 2000).]
  12. #7
  13. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    7
    Rep Power
    0
    Can I check for ` and | in $name with an
    if ($name eq "`") { die "n" } elseif ($name eq "|") { die "n" }
    in the script or how do I write it? I'm not sure I quite understand what someone might do with | or ` since I use the $name for calling different sub routines. Something like:
    if ($name eq "year") { &year }
    if ($name eq "author") { &author }
    and if the script gets something else, it's supposed to display a page with an error message, or can someone fool the script anyway? (Getting confused here)


    *learning about security right away would have been a geat idea*
  14. #8
  15. .Net Developer
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2000
    Location
    London
    Posts
    987
    Rep Power
    15
    Hi,

    you can check wired characters in perl very easily.

    use substitution operation or transaltion operator for removing a particular character from the input.

    let us say ,user entered ` or | into the name field .you may remove that from the field using substitution operator.

    $name=~ s/`/ /;
    $name=~ s/|/ /;

    see Regular Expressions topics in perl for getting some good information...

    ------------------
    SR -
    shiju.dreamcenter.net

    [This message has been edited by Shiju Rajan (edited April 11, 2000).]
  16. #9
  17. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2000
    Posts
    7
    Rep Power
    0
    Thanks!
    That didn't sound complicated at all

    Do I have to do this everytime I use $name, or is it enought to do it once at the beginning of the script?
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 1999
    Posts
    33
    Rep Power
    15
    man perlsec (assuming you're using unix of some flavour)

    and have a look at the FAQs on www.perl.com... you know it makes sense.

IMN logo majestic logo threadwatch logo seochat tools logo