CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Beginner:
how to avoid security holes for CGI code using checkbox ?

 



ningji
Novice

Apr 18, 2013, 3:54 PM

Post #1 of 5 (412 views)
how to avoid security holes for CGI code using checkbox ? Can't Post

Don't know how to describe this clearly,
i have a simple perl CGI code, running with lighttpd.

it has checkbox, if it's set, when you click "submit".
it will trigger my code in the background,
`set_my_value.exe 1`.

if no check that checkbox,
`set_my_value.exe 0`.

Now when i run Rapid7 nexpose, which is a security check application,
it can call my "set_my_value" directly.
So even i didn't check/uncheck the checkbox.
It's setting the values.

Seems lighttpd doesn't support perl taint mode (someone correct me if not the case), i don't know what to do now.

Any help appreciated.

Thanks !


(This post was edited by ningji on Apr 18, 2013, 3:57 PM)


FishMonger
Veteran / Moderator

Apr 18, 2013, 6:44 PM

Post #2 of 5 (400 views)
Re: [ningji] how to avoid security holes for CGI code using checkbox ? [In reply to] Can't Post

What is the problem you're needing to solve?

Also, please post your script.


ningji
Novice

Apr 18, 2013, 6:55 PM

Post #3 of 5 (396 views)
Re: [FishMonger] how to avoid security holes for CGI code using checkbox ? [In reply to] Can't Post

sorry i'm at home now,
e.g. a very simple page, 1 checkbox, 1 submit button,

print checkbox(
-name => 'more_info',
-value => 'yes',
-selected => 1,
-label => 'Would you like more info?');

if i check the checkbox, then click submit.

from param() it'll know i checked this box.
So it'll exec a code in the background, e.g. turn on a xterm.


Now this web security tool can simulate this checkbox event, then send to web server.

when i run this tool, i can see many xterms in my server side. But no one is actually clicking the webpage.

So what's the best way to block this kind of fake checkbox message pls ?



In Reply To
What is the problem you're needing to solve?

Also, please post your script.



(This post was edited by ningji on Apr 18, 2013, 6:56 PM)


FishMonger
Veteran / Moderator

Apr 18, 2013, 8:33 PM

Post #4 of 5 (390 views)
Re: [ningji] how to avoid security holes for CGI code using checkbox ? [In reply to] Can't Post

You could add a capatcha to your site.


ningji
Novice

Apr 19, 2013, 3:01 PM

Post #5 of 5 (376 views)
Re: [FishMonger] how to avoid security holes for CGI code using checkbox ? [In reply to] Can't Post


In Reply To
You could add a capatcha to your site.


actually i added this check when i see submit action,
unless ($ENV{REQUEST_METHOD} eq "POST")
{
error($q1, "invalid request method");
}

seems helping a lot.

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives