Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Re: Blackbox implementation, but....

by IndyZ (Friar)
on Apr 29, 2002 at 10:05 UTC ( #162796=note: print w/replies, xml ) Need Help??


in reply to Re: Blackbox implementation, but....
in thread Blackbox implementation, but....

The biggest difference is that the script is seperated from the html and uses redirects to push the user around to success/fail pages.

As I said in my last post, after looking at the source I wouldn't have even considered using it, but this friend had already built his HTML around it and would have figured out how to make it work without me (the shebang line was wrong), so I figured I might as well do what I could. I am fully aware that using strict, the CGI module, warnings, and taint do not make a script secure. However, it probably won't hurt. In addition, I made changes to the script's broken input validation and a few regexes that weren't as solid as the original coder probably thought they were. In the end I know for a fact that I closed one security hole and I am reasonably sure that I didn't introduce any new problems.

--
IndyZ

  • Comment on Re: Re: Blackbox implementation, but....

Replies are listed 'Best First'.
Re: Re: Re: Blackbox implementation
by cjf (Parson) on Apr 29, 2002 at 10:15 UTC
    In the end I know for a fact that I closed one security hole and I am reasonably sure that I didn't introduce any new problems.

    There are a lot more people who are reasonably sure that the NMS scripts don't introduce security problems :).

    Considering the problems with the creators of the original faulty script your friend was using, I'd recommend you either rewrite the script from scratch or adapt the NMS ones (separation of code and HTML is usually a good thing). If you choose to rewrite the script, it will probably be more work and will result in a less solid script than if you adapted one of the NMS ones.

    Your call though, check Re-inventing the wheel is a 'Good Thing' for more opinions on the issue.

Re: Re: Re: Blackbox implementation, but....
by thraxil (Prior) on Apr 29, 2002 at 21:20 UTC

    In the end I know for a fact that I closed one security hole and I am reasonably sure that I didn't introduce any new problems.

    i get the impression that this is a script that the company makes available to the public. if you know for a fact that you closed a security hole, it would logically imply that the version the company is distributing contains a security hole. i think the responsible thing to do would be to publish the vulnerability on bugtraq or some other appropriate forum.

    if other people are using it, publishing the vulnerability may encourage them to either remove it from their servers or fix it. it would also perhaps encourage the company to integrate some of your changes and maybe consider being a little nicer to people who send them patches in the future.

    anders pearson

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://162796]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (3)
As of 2022-08-18 05:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?