in reply to Script Visability and Security

If the cgi environment is set up correctly, advertising the location of the script has no effect on security.

There is potential for security problems in writing files from cgi. The key issues are:

  1. can the uset select the file path and name?
  2. can the user write arbitrary content or amount of data to the file?
  3. can the user overwrite existing files?
There are many resources around for recognising these problems and correcting them. 'man perlsec' is a good introduction.

After Compline,
Zaxo

Replies are listed 'Best First'.
Re: Re: Script Visability and Security
by echo (Pilgrim) on Sep 18, 2001 at 11:24 UTC

    If the cgi environment is set up correctly, advertising the location of the script has no effect on security.

    True, and this is the well-known There's no security through obscurity. However revealing such information is still a bad idea. Although it may not have a direct effect on this CGI script, it does reveal private information about the server which may be used to exploit another vulnerability, in another program or script. Think of a potential attacker quietly collecting all sorts of tidbits about how the server is layed out. Each piece of information is not a security issue in itself, but in the end it all adds up and can provide the attacker with enough information to compromise the system. That is why disclosing file system paths is never a good idea, and such bugs are a frequent topic on Bugtraq.

[reply]
Re: Re: Script Visability and Security
by Zecho (Hermit) on Sep 18, 2001 at 11:06 UTC
    I will add to that the simple fact that the full path to the script is already available within the source of your .shtml file.. "form action="

    Update: of course by full path, I mean the full URL which is what you were concerned with.
    Thanks echo for pointing that out.
[reply]
      "form action=" points to the URL of the script, something quite different from its file system path.
[reply]

In Section Seekers of Perl Wisdom