Mar 8, 2002, 2:48 AM
Post #2 of 5
I won't answer your question directly. (I'm not a hacker )
Re: [taffelman] Hide datastring from webforms
[In reply to]
I've just read the book "CGI programming with Perl", by O'Reilly. That book also has a very interesting chapter about security. I really got surprised some things could actually be possible..
However, what do you think about this security checklist:
- Are your files stored outside in the www root?, so users can't access them accedently using some pathname at the request line?
- do you crypt() your passwords?
- does your script use -w and -T and "use strict"?
- do you test every every input using a regexp (required for -T).
- if so, do you test for characters "not allowed", or for characters that you allow. The second version is a lot easier, and more secure (can't forget anything)
- Isn't there any script that users can abuse, so they can use it to interact with the shell? Usually that's very easy. For example, by adding backticks to script parameters. When those are concatenated into a string send to the shell as command...those backticks will execute a "inner command".
- Do you still use shell pipes, or so you perform an exec() in a different process (using fork()). exec() doesn't use the shell directly, so it's more difficult to abuse your script.
- use as much perl functions instead of interacting with the shell...
- Do you use CGI.pm? If so, have you given $CGI::POST_MAX a value? Or can users just post you some code dump files of 10MB through a textfield?
- If you use CGI, be sure to disable uploads before you create the CGI object. Otherwise, the uploading starts (that creates a temp-file at your webserver). You do have some free disk space left? i hope. (set $CGI::DISABLE_UPLOADS before you do the new CGI() thing)
- If you use CGI.pm, note that the input is parsed. Doesn't matter if the request method is POST or GET. However, you property don't want users the enter the parameters as QUERY_STRING in their browser. Then the the request_method() routine to see what method is used as request.
- What will happen to your script when someone writes a perl script (LWP-Simple) to access your script. It can fake quite somethings (browserID, referer, request method, parameters, parameter size). Never trust the browser and client.
- What happens when that previous script would be run through a for(0..100000000) loop?
- Your script also tests the size of the parameters, I hope? (and don't trust the maxlength="" property of the textfield?)
- Maybe you also want users to send use your script only when from a page within your domain. (check the HTTP_REFERER). However, the LWP client also can fake that.
Yet Another Perl Programmer
~~> [url=http://www.codingdomain.com]www.codingdomain.com <~~
More then 3500 X-Forum [url=http://www.codingdomain.com/cgi-perl/downloads/x-forum]Downloads!
(This post was edited by yapp on Mar 8, 2002, 2:58 AM)