LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-18-2013, 07:00 PM   #1
5883
Member
 
Registered: Aug 2004
Posts: 173

Rep: Reputation: 0
how to avoid security holes for perl CGI code using checkbox ?


Don't know how to describe this clearly,
i have a simple perl CGI code, running with lighttpd.

it has checkbox, if it's set, when you click "submit".
it will trigger my code in the background,
`set_my_value.exe 1`.

if no check that checkbox,
`set_my_value.exe 0`.

Now when i run Rapid7 nexpose, which is a security check application,
it can call my "set_my_value" directly.
So even i didn't check/uncheck the checkbox.
It's setting the values.

Seems lighttpd doesn't support perl taint mode (someone correct me if not the case), i don't know what to do now.

Any help appreciated.

Thanks !
 
Old 04-19-2013, 04:09 AM   #2
j-ray
Senior Member
 
Registered: Jan 2002
Location: germany
Distribution: ubuntu
Posts: 1,532

Rep: Reputation: 132Reputation: 132
I guess you posted this in the wrong forum as it seems to be related to perl programming on windows. Ask a moderator to move this thread to the programming forum.

What has Rapid7 nexpose to do with your cgi script? It can call the same function. So what. I don't understand your problem.
 
Old 04-19-2013, 12:39 PM   #3
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
GUI web browsers aren't the only HTTP clients. Anything that can send a HTTP request to a HTTP server is a client. As such, it becomes almost trivial to submit a HTTP request to your server, and the arguments to that request are therefore not restricted to what a well behaving web browser would send when submitting your form. For this reason, among others, you need to practice defensive coding in your CGI scripts, by at least validating all user input.

--- rod.
 
Old 04-19-2013, 04:59 PM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
At a minimum, turn on the -T option (taint mode) which will identify any unvalidated data that may be used.

It can be a real pain, but will save your butt by identifying unsafe expressions.
 
Old 04-19-2013, 06:03 PM   #5
5883
Member
 
Registered: Aug 2004
Posts: 173

Original Poster
Rep: Reputation: 0
actually i added this check when i see submit action,
unless ($ENV{REQUEST_METHOD} eq "POST")
{
error($q1, "invalid request method");
}

seems helping a lot.
 
Old 04-19-2013, 06:10 PM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
That is only a start.
 
Old 04-19-2013, 06:14 PM   #7
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
Watch especially with anything that will be used as a filename/directory name. Things like "../../../.." can play some interesting tricks on you.

Really, the subject of protecting against malicious input is a subject all it's own, and a single thread in a forum like this can't do it justice.

--- rod.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Finding security holes roopakl Linux - Security 8 10-05-2011 05:14 AM
Perl CGI form security Nick0.jd Programming 4 04-28-2009 10:35 PM
LXer: Open Source Code Contains Security Holes LXer Syndicated Linux News 1 01-09-2008 09:32 PM
perl newbie. hangman.cgi script displaying strangely (additional code) on the web. WorldBuilder Programming 4 11-21-2003 08:09 AM
http://www.burstnet.com/cgi-bin/ads/ad7954a.cgi/3980/RETURN-CODE rverlander LQ Suggestions & Feedback 1 06-07-2002 08:35 AM


All times are GMT -5. The time now is 11:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration