in reply to Re^3: Passing a regex from a CGI HTML form
in thread Passing a regex from a CGI HTML form

Hi Hauke D,

Thanks for the reply. I have now implimented a bit of 'magic' in the form to only allow the script to be processed if known.

As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere?

Lastly, something that nobody mentioned here - OK, using 'eval' and the like is equivalent to giving shell access, but surely it will only be as the UID/Group I run apache under?

Thanks, Nick

  • Comment on Re^4: Passing a regex from a CGI HTML form

Replies are listed 'Best First'.
Re^5: Passing a regex from a CGI HTML form
by haukex (Archbishop) on Sep 03, 2016 at 11:48 UTC

    Hi Linicks,

    OK, using 'eval' and the like is equivalent to giving shell access, but surely it will only be as the UID/Group I run apache under?

    Yes, that's correct, and the server process is often run under the nobody user or equivalent for that reason. But do you know for sure that the server has been configured properly security-wise on the *NIX level? And why let someone even get that far? It's kind of like buying a safe but leaving a back window to your house open and hoping nobody notices. The question is why not lock all the windows and doors too?

    As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere?

    Essentially every public IP address is probed at one point or another, I've got a few machines with public IPs and can attest to that. If you've got an Apache name-based virtual host, then AFAIK it does become more difficult, but then again I was just naming one example. Another example: can you guarantee that every computer you use to access this page is secure?

    Continuing the shell analogy: An HTML form + eval without a password is the same as setting up an SSH user with no password, and then hoping that no one happens to probe that particular IP + port + username combination. However unlikely it may be, once they do find it, they have access - so why not just throw a password on there?

    Regards,
    -- Hauke D

[reply]
[d/l]

      "But do you know for sure that the server has been configured properly security-wise on the *NIX level?"

      Yes, it's my server, and I have been running apache for years.

      "Another example: can you guarantee that every computer you use to access this page is secure?"

      Alas no - I am forced to use MS at work, so haven't a clue what goes on there - but other than that no other machine will touch it.

      "...so why not just throw a password on there?

      There is now a bit of magic on the form :) Don't panic people, all is sorted.

      Nick

[reply]
Re^5: Passing a regex from a CGI HTML form
by Your Mother (Archbishop) on Sep 03, 2016 at 22:51 UTC
    As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere?

    Watch your logs. I was astounded to see hackbots start probing my home computer’s webserver, mostly for PHP vulnerabilities, within something like 20 minutes of opening port :80 to the outside.

    I’m not trying to pile on. eval can be dangerous but the way you’re setting things up is probably safe for your intended use. If you were a bank or something, no. When I open personal stuff up to the outside I sometimes pseudo-firewall with IP filtering in the app (plack middleware) and always use htaccess with SSL enforced (also easy with middleware).

[reply]
[d/l]

In Section Seekers of Perl Wisdom