Don't know how to describe this clearly,
i have a simple perl CGI code, running with lighttpd.

it has checkbox, if it's set, when you click "submit".
it will trigger my code in the background,
`set_my_value.exe 1`.

if no check that checkbox,
`set_my_value.exe 0`.

Now when i run Rapid7 nexpose, which is a security check application,
it can call my "set_my_value" directly.
So even i didn't check/uncheck the checkbox.
It's setting the values.

Seems lighttpd doesn't support perl taint mode (someone correct me if not the case), i don't know what to do now.

Any help appreciated.

Thanks !

I guess you posted this in the wrong forum as it seems to be related to perl programming on windows. Ask a moderator to move this thread to the programming forum.

What has Rapid7 nexpose to do with your cgi script? It can call the same function. So what. I don't understand your problem.

GUI web browsers aren't the only HTTP clients. Anything that can send a HTTP request to a HTTP server is a client. As such, it becomes almost trivial to submit a HTTP request to your server, and the arguments to that request are therefore not restricted to what a well behaving web browser would send when submitting your form. For this reason, among others, you need to practice defensive coding in your CGI scripts, by at least validating all user input.

--- rod.

At a minimum, turn on the -T option (taint mode) which will identify any unvalidated data that may be used.

It can be a real pain, but will save your butt by identifying unsafe expressions.

actually i added this check when i see submit action,
unless ($ENV{REQUEST_METHOD} eq "POST")
{
error($q1, "invalid request method");
}

seems helping a lot.

That is only a start.

Watch especially with anything that will be used as a filename/directory name. Things like "../../../.." can play some interesting tricks on you.

Really, the subject of protecting against malicious input is a subject all it's own, and a single thread in a forum like this can't do it justice.

--- rod.