Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: security issues with an index.pl-type thing...

by DrZaius (Monk)
on Jun 18, 2001 at 18:36 UTC ( [id://89306]=note: print w/replies, xml ) Need Help??


in reply to security issues with an index.pl-type thing...

Yes, this is the way to do it. You'd be surprised the number of sites you can compromise because you can do things like index.pl?template=../../../../passwd.

I wouldn't even trust a regex to 'take out the ..' either as you could probably just do /etc/passwd instead. Yes, you could also regex off ^/ as well, but you'll be doing stuff like that as long as that script exists.

Also consider using pathinfo or a mod_perl handler because it looks a little nicer :)

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://89306]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (1)
As of 2024-04-25 19:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found