Re^3: Passing a regex from a CGI HTML form

Hi Linicks,

Doing an eval or s///ee with a value supplied by a user on an HTML form is the equivalent of giving that user shell access to the machine. You keep saying that only you know the address of the machine, but if security by obscurity is your only security, then one day, for example if your page is discovered by a crawler, that'll mean game over for your server. That's why everyone has been saying to be very careful with eval and security by obscurity, and they are right!

To make one more recommendation because I don't think it's been made yet: At least throw some HTTP digest authentication on there along with the SSL.

Hope this helps,
-- Hauke D

Comment on Re^3: Passing a regex from a CGI HTML form Download Code

Replies are listed 'Best First'.
Re^4: Passing a regex from a CGI HTML form by Linicks (Scribe) on Sep 03, 2016 at 11:15 UTC
Hi Hauke D, Thanks for the reply. I have now implimented a bit of 'magic' in the form to only allow the script to be processed if known. As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere? Lastly, something that nobody mentioned here - OK, using 'eval' and the like is equivalent to giving shell access, but surely it will only be as the UID/Group I run apache under? Thanks, Nick	[reply]
Re^5: Passing a regex from a CGI HTML form by haukex (Archbishop) on Sep 03, 2016 at 11:48 UTC
Hi Linicks, OK, using 'eval' and the like is equivalent to giving shell access, but surely it will only be as the UID/Group I run apache under? Yes, that's correct, and the server process is often run under the `nobody` user or equivalent for that reason. But do you know for sure that the server has been configured properly security-wise on the NIX level? And why let someone even get that far? It's kind of like buying a safe but leaving a back window to your house open and hoping nobody notices. The question is why not* lock all the windows and doors too? As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere? Essentially every public IP address is probed at one point or another, I've got a few machines with public IPs and can attest to that. If you've got an Apache name-based virtual host, then AFAIK it does become more difficult, but then again I was just naming one example. Another example: can you guarantee that every computer you use to access this page is secure? Continuing the shell analogy: An HTML form + eval without a password is the same as setting up an SSH user with no password, and then hoping that no one happens to probe that particular IP + port + username combination. However unlikely it may be, once they do find it, they have access - so why not just throw a password on there? Regards, -- Hauke D	[reply] [d/l]
Re^6: Passing a regex from a CGI HTML form by Linicks (Scribe) on Sep 03, 2016 at 16:00 UTC
"But do you know for sure that the server has been configured properly security-wise on the *NIX level?" Yes, it's my server, and I have been running apache for years. "Another example: can you guarantee that every computer you use to access this page is secure?" Alas no - I am forced to use MS at work, so haven't a clue what goes on there - but other than that no other machine will touch it. "...so why not just throw a password on there? There is now a bit of magic on the form :) Don't panic people, all is sorted. Nick	[reply]
Re^5: Passing a regex from a CGI HTML form by Your Mother (Archbishop) on Sep 03, 2016 at 22:51 UTC
As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere? Watch your logs. I was astounded to see hackbots start probing my home computer’s webserver, mostly for PHP vulnerabilities, within something like 20 minutes of opening port :80 to the outside. I’m not trying to pile on. `eval` can be dangerous but the way you’re setting things up is probably safe for your intended use. If you were a bank or something, no. When I open personal stuff up to the outside I sometimes pseudo-firewall with IP filtering in the app (plack middleware) and always use htaccess with SSL enforced (also easy with middleware).	[reply] [d/l]