[Israel.pm] securing CGI scripts

Yosef Meller mellerf at netvision.net.il
Mon Sep 27 04:43:23 PDT 2004


Shlomo Yona wrote:
> Hello,
> 
> I have a CGI script that is used to serve as a
> "web-interface" (along with an HTML form) demo for a
> commanline program I wrote.
> 
> I've been asked to put it on a public web server and allow
> free access to this demo.
> 
> Now... the demo takes the input written in a FORM and pipes
> it to a pipeline of oneliners and then prints back a
> transformation of the returned output.
> 
> This "logic" seems very insecure and may result in data loss
> on the server.
> 
> I wonder if you guys can give some finger-rules, suggestions
> and tips that will enable me to get back to the script and
> do something to increase its security.
> 
> Thanks.
> 

Start with 'perldoc perlsec' and pay attention to taint checking. Good Luck.

-- 
   "No, I do not contain myself,"
   were the final words from the set of self-excluding sets. :-)



More information about the Perl mailing list