CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
Search Posts SEARCH
Who's Online WHO'S
Log in LOG

Home: Perl Programming Help: Intermediate:



Nov 18, 2001, 2:56 PM

Post #1 of 2 (465 views)
Abuse Can't Post


I've had a lot of problems lately with someone who abused my script. I've been trying to ban him by using his real IP address but he started accessing my script via the proxy. I know that there is a way to get his real IP address even if he's using proxy, but I don't know how.

Also, I found out that he managed to abuse the script by entering 0A (line feed) and 0D (carriage return) characters (I have no idea how). Is there a way to ban these characters???

Can anyone help me?

Thanks in advance!

Best wishes!



Nov 19, 2001, 2:30 AM

Post #2 of 2 (458 views)
Re: Abuse [In reply to] Can't Post

I feel sorry for you...

It seams that gut is really nasty (considering the proxy story).

You have taken down your script I guess?

What kind of script is it? What makes him abuse it? If you can post a link to the source, it's easier to find the bugs.

You should always be careful with input. Use regexps to validate it. Try a regexp to find whether someone adss a 'CrLf' character in the string. There are also other codes that can be interpreted as a line break. See `perldoc perlport`.

You can use -Tw at the #! line. This is a bit difficult, and properly you need to change some code in your script IF you want to get this security flag work without taining errors. -T asumes that all your input is bad, and you need to validate, and extract the data using a regexp first. see `perldoc perlsec` Only then you're allowed to use the input data in system calls, etc..

One other thing... The input isn't used for a directory or something right? If so, you need to check for codes that make a jump to the previous directory, like ../../file.txt or ../../etc/pwd The last example would be terible if your script does something like `cat /home/yourname/$inputname` to display a file.

Hope you can do something with it.

Yet an Other Perl Programmer

Find out more about programming


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives