I was go going to say iw as really surprised you could do the same thing but after analyzing more carefully my code i know how you inserted "aweirdentryinyourlog".
You did it like this: http://localhost/cgi-bin/index.pl?select=aweirdentryinyourlog
Nothing bad happened because this attempt falls inside the unless code block where my program exits. I have corrected it though and now the code looks like this:
my @files = glob "$ENV{'DOCUMENT_ROOT'}/data/text/*.txt";
my @menu_files = map m{([^/]+)\.txt}, @files;
Encode::from_to($_, 'ISO-8859-7', 'utf8') for @menu_files;
print header( -charset=>'utf8' );
my $article = param('select') || "Welcome Page!";
if ( param('select') ) { #If user selected an item from the drop dow
+n menu
unless( grep /^\Q$article\E$/, @menu_files ) #Unless user selectio
+n doesn't match one of the valid filenames within @menu_files
{
if( param('select') =~ /\0/ )
{
$article = "*Null Byte Injection* attempted => $article";
print br() x 2, h1( {class=>'big'}, $article );
}
elsif( param('select') =~ /\.\.\// )
{
$article = "*Backwards Directory Traversal* attempted => $art
+icle";
print br() x 2, h1( {class=>'big'}, $article );
}
else
{
my $message = "What Exactly Are You Up To With > $article < M
+ighty Hacker ?";
print br() x 2, h1( {class=>'big'}, $message );
$article = "*Hack Attempt* attempted => $article";
}
$update = $db->prepare( "UPDATE guestlog SET article=?, date=?,
+counter=counter+1 WHERE host=?" );
$update->execute( $article, $date, $host );
exit 0;
}
Encode::from_to($article, 'utf8', 'ISO-8859-7'); #Convert user sel
+ected filename to greek-iso so it can be opened
open FILE, "<$ENV{'DOCUMENT_ROOT'}/data/text/$article.txt" or die $
+!;
local $/;
$data = <FILE>;
close FILE;
Encode::from_to($article, 'ISO-8859-7', 'utf8'); #Convert user sel
+ected filename back to utf8 before inserting into db
$update = $db->prepare( "UPDATE guestlog SET article=?, date=?, cou
+nter=counter+1 WHERE host=?" );
$update->execute( $article, $date, $host );
}
else blablabla
Now i print to the hacker a funny message and this time i'am aware of whats in the log since i create the message to be logged.
Please if you have spare time see if you can pass any other bogus info on my script or perhaps you can open a file.
My major concern is this line, but as i have written it and especially attached the ".txt" assertion on the end i believe there cant be a possible attempt on opening a file stored in my hdd through my script.
Or Am i wrong?!