CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Intermediate:
Abuse

 



srkey
newbie

Nov 18, 2001, 2:56 PM

Post #1 of 2 (387 views)
Abuse Can't Post

Hi!

I've had a lot of problems lately with someone who abused my script. I've been trying to ban him by using his real IP address but he started accessing my script via the proxy. I know that there is a way to get his real IP address even if he's using proxy, but I don't know how.

Also, I found out that he managed to abuse the script by entering 0A (line feed) and 0D (carriage return) characters (I have no idea how). Is there a way to ban these characters???

Can anyone help me?

Thanks in advance!

Best wishes!

S.S.



yapp
User

Nov 19, 2001, 2:30 AM

Post #2 of 2 (380 views)
Re: Abuse [In reply to] Can't Post

I feel sorry for you...

It seams that gut is really nasty (considering the proxy story).

You have taken down your script I guess?

What kind of script is it? What makes him abuse it? If you can post a link to the source, it's easier to find the bugs.

You should always be careful with input. Use regexps to validate it. Try a regexp to find whether someone adss a 'CrLf' character in the string. There are also other codes that can be interpreted as a line break. See `perldoc perlport`.

You can use -Tw at the #! line. This is a bit difficult, and properly you need to change some code in your script IF you want to get this security flag work without taining errors. -T asumes that all your input is bad, and you need to validate, and extract the data using a regexp first. see `perldoc perlsec` Only then you're allowed to use the input data in system calls, etc..

One other thing... The input isn't used for a directory or something right? If so, you need to check for codes that make a jump to the previous directory, like ../../file.txt or ../../etc/pwd The last example would be terible if your script does something like `cat /home/yourname/$inputname` to display a file.


Hope you can do something with it.


Yet an Other Perl Programmer

_________________________________
Find out more about programming
http://www.cool-programming.f2s.com

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives