Re^2: Weird entry index my guestlog

I was go going to say iw as really surprised you could do the same thing but after analyzing more carefully my code i know how you inserted "aweirdentryinyourlog".

You did it like this: http://localhost/cgi-bin/index.pl?select=aweirdentryinyourlog

Nothing bad happened because this attempt falls inside the unless code block where my program exits. I have corrected it though and now the code looks like this:

my @files = glob "$ENV{'DOCUMENT_ROOT'}/data/text/*.txt";
my @menu_files = map m{([^/]+)\.txt}, @files;
Encode::from_to($_, 'ISO-8859-7', 'utf8') for @menu_files;

print header( -charset=>'utf8' );
my $article = param('select') || "Welcome Page!";


if ( param('select') )  {  #If user selected an item from the drop dow
+n menu

   unless( grep /^\Q$article\E$/, @menu_files )  #Unless user selectio
+n doesn't match one of the valid filenames within @menu_files
   {
      if( param('select') =~ /\0/ )
      {
         $article = "*Null Byte Injection* attempted => $article";
         print br() x 2, h1( {class=>'big'}, $article );
      }
      elsif( param('select') =~ /\.\.\// )
      {  
         $article = "*Backwards Directory Traversal* attempted => $art
+icle";
         print br() x 2, h1( {class=>'big'}, $article );
      }
      else
      {
         my $message = "What Exactly Are You Up To With > $article < M
+ighty Hacker ?";
         print br() x 2, h1( {class=>'big'}, $message );
         $article = "*Hack Attempt* attempted => $article";
      }
      
      $update = $db->prepare( "UPDATE guestlog SET article=?, date=?, 
+counter=counter+1 WHERE host=?" );
      $update->execute( $article, $date, $host );
      
      exit 0;
   }

   Encode::from_to($article, 'utf8', 'ISO-8859-7');  #Convert user sel
+ected filename to greek-iso so it can be opened

   open FILE, "<$ENV{'DOCUMENT_ROOT'}/data/text/$article.txt" or die $
+!;
      local $/;      
      $data = <FILE>;
   close FILE;
   
   Encode::from_to($article, 'ISO-8859-7', 'utf8');  #Convert user sel
+ected filename back to utf8 before inserting into db 

   $update = $db->prepare( "UPDATE guestlog SET article=?, date=?, cou
+nter=counter+1 WHERE host=?" );
   $update->execute( $article, $date, $host );
}
else blablabla
[download]

Now i print to the hacker a funny message and this time i'am aware of whats in the log since i create the message to be logged.

Please if you have spare time see if you can pass any other bogus info on my script or perhaps you can open a file.

My major concern is this line, but as i have written it and especially attached the ".txt" assertion on the end i believe there cant be a possible attempt on opening a file stored in my hdd through my script.

Or Am i wrong?!

Comment on Re^2: Weird entry index my guestlog Download Code

Replies are listed 'Best First'.

Re^3: Weird entry index my guestlog
by CountZero (Bishop) on Jan 11, 2008 at 06:08 UTC

The established procedure to secure your website is to run Perl in taint mode and clean all the user-input though a regex before you use it anywhere. In "taint mode" your program will refuse to work with any non-cleaned user-input. It therefore forces you to think about what kind of user input is allowed before letting you actually using it.

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

[reply]


Just another Perl shrine
	PerlMonks