Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re^2: Setting up a web-based perl interpeter

by Anonymous Monk
on May 27, 2011 at 16:29 UTC ( [id://907012]=note: print w/replies, xml ) Need Help??


in reply to Re: Setting up a web-based perl interpeter
in thread Setting up a web-based perl interpeter

That's not true. Not publishing a URL can be quite secure.

If the OP doesn't ever publish it somewhere and nests the directory tree 3 or more directories deep with charactor-random directory names no one and no bot will ever find it.

Ie:
somesite.com/234sfsd/zzasdf21/ooiissa221/22234AZa/pwa2r.pl

That obscurity it absolutely security. The OP could go one or two steps further by not having the script run unless a certain param is passed to ie, ie: pwa2r.pl?mode=a23da.

Now there is a level of authentication with an obscure URL. The other step is doing an IP-based security if they have a static IP address. Any one of those tiers of security is not completely secure by itself but if two or more of them are used you have yourself a very secure script without the need of authentication.

Replies are listed 'Best First'.
Re^3: Setting up a web-based perl interpeter
by Your Mother (Archbishop) on May 27, 2011 at 16:42 UTC

    Unless any part of the served pages ever, at any time, calls an external URL or visits one from it. Plus IP filtering is a form of authentication and, without reverse look-ups, not a "very secure" one.

      True, those situations can arise. But remember you still have two forms of verification even if the address is known to web servers. You still have an IP validation which in itself isn't so secure however unless they know what IP you are using it won't do them any good. Or throw the reverse look up on there, too. That won't require the OP to do anything extra when they load the script.

      When visiting other pages it never shows the URL params. It won't pass on that you had to do script.pl?this=that. It'll just show script.pl.

      I'm not saying the script is fort knox worthy but this is more or less secure.

      There are many ways to secure a script without a required sign on verification process. For instance.. make a requirement that a script on the server is run within the past hour or the script won't run. Ie: have another hidden script on the server that timestamps a file that the perl intepreter then reads. If it was last hit over an hour ago the script doesn't execute. It's simple to do and makes the script live only as long as that time frame. And to increase that, add the function script.pl?time=stop to instantly kill access when you're done with it.

      It may seem like a lot of small things but it would absolutely work with what the OP is trying to accomplish.

        I know what you're saying but you're talking probability more than security. Secure should be considered binary. It's secure (against all known issues) or it's not. Anything else is a form of gambling. Maybe you're only betting a couple dollars on good odds so it's not that dangerous but it's still not secure and suggesting it is in a situation where someone is discussing arbitrary code execution from user input is irresponsible even if it's not that risky.

        When visiting other pages it never shows the URL params. It won't pass on that you had to do script.pl?this=that. It'll just show script.pl.

        My access_log records show the parameters passed in a GET request, and the error_log shows the referer (sic) including the parameters if it was a GET request.

        You are using obscurity to secure your script. Once the obscurity is gone, the security goes right with it. Obscurity can be much more difficult to maintain (perhaps approaching "impossible" for anything more complex than a crossover cable) than other methods once $badguy has access to the request path (see previous post in this thread). Maintaining this secure request path is expensive, error prone, and difficult. There are other, more economical solutions available.

        --MidLifeXis

Re^3: Setting up a web-based perl interpeter
by flexvault (Monsignor) on May 27, 2011 at 18:29 UTC

    That's not true. Not publishing a URL can be quite secure....

    If you're using a web server, people will be knocking on your server port within hours. In the 90s you could put a server up and no one tried for weeks, after 2001 it was less then 8 hours and now about 2-4 hours. If you use https with your own certificates, you may have a chance. But, that's a lot of work!

    Further, on the "...script run unless a certain param is passed...", that param had better change every few minutes, or you'll find someone harvesting your information. A recent study of victims of on-line theft stated that 95% of them thought they didn't have anything to steal on their PC.

    Now add a web server!

    Go with security first!

    "Well done is better than well said." - Benjamin Franklin

      No lie. A couple years ago I opened up :80 at home to demo an app that was a web/visit logger/tracker; I expected it to be sleepy for a week, it was filling up with requests to PHP and Windows exploit URIs in an hour.

Re^3: Setting up a web-based perl interpeter
by MidLifeXis (Monsignor) on May 27, 2011 at 20:17 UTC

    Does your traffic pass through something I have control over? Think network, cache, diverted network route, wireless leak, ...

    --MidLifeXis

Re^3: Setting up a web-based perl interpeter
by Anonymous Monk on May 27, 2011 at 16:30 UTC
    I did forget the add the OP would have to have an index file in the above mentioned directories so the tree isn't visible.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://907012]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (6)
As of 2024-03-28 10:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found