LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   how to avoid security holes for perl CGI code using checkbox ? (https://www.linuxquestions.org/questions/linux-newbie-8/how-to-avoid-security-holes-for-perl-cgi-code-using-checkbox-4175458690/)

5883 04-18-2013 06:00 PM
how to avoid security holes for perl CGI code using checkbox ?
 
Don't know how to describe this clearly,
i have a simple perl CGI code, running with lighttpd.

it has checkbox, if it's set, when you click "submit".
it will trigger my code in the background,
`set_my_value.exe 1`.

if no check that checkbox,
`set_my_value.exe 0`.

Now when i run Rapid7 nexpose, which is a security check application,
it can call my "set_my_value" directly.
So even i didn't check/uncheck the checkbox.
It's setting the values.

Seems lighttpd doesn't support perl taint mode (someone correct me if not the case), i don't know what to do now.

Any help appreciated.

Thanks !

j-ray 04-19-2013 03:09 AM
I guess you posted this in the wrong forum as it seems to be related to perl programming on windows. Ask a moderator to move this thread to the programming forum.

What has Rapid7 nexpose to do with your cgi script? It can call the same function. So what. I don't understand your problem.

theNbomr 04-19-2013 11:39 AM
GUI web browsers aren't the only HTTP clients. Anything that can send a HTTP request to a HTTP server is a client. As such, it becomes almost trivial to submit a HTTP request to your server, and the arguments to that request are therefore not restricted to what a well behaving web browser would send when submitting your form. For this reason, among others, you need to practice defensive coding in your CGI scripts, by at least validating all user input.

--- rod.

jpollard 04-19-2013 03:59 PM
At a minimum, turn on the -T option (taint mode) which will identify any unvalidated data that may be used.

It can be a real pain, but will save your butt by identifying unsafe expressions.

5883 04-19-2013 05:03 PM
actually i added this check when i see submit action,
unless ($ENV{REQUEST_METHOD} eq "POST")
{
error($q1, "invalid request method");
}

seems helping a lot.

jpollard 04-19-2013 05:10 PM
That is only a start.

theNbomr 04-19-2013 05:14 PM
Watch especially with anything that will be used as a filename/directory name. Things like "../../../.." can play some interesting tricks on you.

Really, the subject of protecting against malicious input is a subject all it's own, and a single thread in a forum like this can't do it justice.

--- rod.


All times are GMT -5. The time now is 11:01 AM.