html/file security cgi [revisited]

   1: When I get a chance I will repost this with the changes suggested by
   2: you fine Perl Monks.  Remember This is my second perl script
   3: attempt.  I know I have much to learn.  Please keep the feedback coming
   4: 
   5: UPDATE[05/15/2002]: I have begun 'fixing' this code.  I realize I still have not
   6: incorporated the use of strict; and I still have textual
   7:  passwords that need to be encrypted.  I'm still reading! :)
   8: 
   9: UPDATE[05/16/2002]: I have incorporated crypt() into the code.
  10:   I also am now using alot of the CGI.pm features.
  11:  I am having one heck of a time adding strict to this though.
  12: 
  13: UPDATE[05/17/2002]: I have actually gotten strict to work! I had to do a little
  14:  restructuring but it works!  I am going to post a Node in SoPW.  See if there
  15:  is anything else I need to change on this before I call it good code!
  16: 
  17: 
  18: 
  19: #!/usr/bin/perl -w
  20: # (Put the address to the location of PERL on your system.  Find
  21: #  it with 'which perl')
  22: use strict;
  23: use CGI qw/:standard/;
  24: use CGI::Cookie;
  25: 
  26: # Where are you keeping the graphic that will be used in place of of
  27: # The requested graphic (thru ubersecure.cgi?img=Name) if password is not found
  28: my $imgfile = "/home/user/www/cgi-bin/ubersecure/secure.gif";
  29: 
  30: # Where you are keeping UberData.txt which holds your KEY|Location
  31: my $datafile = "/home/user/www/cgi-bin/ubersecure/uberdata.txt";
  32: 
  33: # Will You need multiple logins or a single login?  (1=multiple,0=single)
  34: my $multi_in = 1;
  35: 
  36: # This should point to your uberaccess.txt which holds the name|pass information
  37: # This is not required for the single user mode
  38: my $accessfile = "/home/user/www/cgi-bin/ubersecure/uberaccess.txt";
  39: 
  40: # Password required to login for single user mode.(Default pass is: 1234)
  41: # This will also be a valid password for multi user mode.
  42: # You MUST encrypt this password, you can use the following tool:
  43: # http://www.YourSite.com/cgi-bin/ubersecure/ubersecure.cgi?url=passwd
  44: my $pass = "USaH0nvPrucUo";
  45: 
  46: # UserName required to login for single user mode.
  47: # This will also be a valid login for multi user mode.
  48: my $goodnick = "1234";
  49: 
  50: # Address to this script.
  51: my $thisscript = "http://www.YourSite.com/cgi-bin/ubersecure.cgi";
  52: 
  53: #Name of the page that you are logging into.
  54: my $pagename = "UberSecure Test Page";
  55: 
  56: #Send mail to YOU when someone logs in?
  57: # 1 = On
  58: # 0 = Off
  59: my $send_mail = 0;
  60: 
  61: #Send mail to YOU when a Keyword / URL isn't found?
  62: my $send_mail_badurl = 0;
  63: 
  64: # UNIX path to the mail program on your system.
  65: # elm, Mail, etc.  If you run into problems, turn mail sending off.
  66: my $mail = "/var/qmail/bin/qmail-inject";
  67: 
  68: #Email address to send mail to (your personal e-mail address.)
  69: #You MUST put a backslash (\) in front of the 'at' (@) sign in the e-mail
  70: # address.
  71: my $to_email = "UberDragon13\@hotmail.com";
  72: 
  73: # Do you wish to log logins?  (1/0)
  74: # LOG file is NOT auto cleared.  You will have to edit it by hand.  If you
  75: # delete it, remember to chmod the new file 644 when you re-make it.
  76: my $log = 1;
  77: 
  78: #Ask for an e-mail address?  (Will be logged.)
  79: my $email = 0;
  80: 
  81: # What is the address to the log file?  (Remember to create the file and
  82: #                                         to chmod it 644)
  83: my $log_file = /home/user/www/cgi-bin/ubersecure/ubersecure.log";
  84: 
  85: # Path to your system's date program for logging.
  86: my $date_prog = "/bin/date";
  87: 
  88: # Settings for page colors.
  89: my $text = "#000000";
  90: my $link = "green";
  91: my $vlink = "#663300";
  92: my $bgcolor = "#FFFFFF";
  93: my $background = "http://www.YourSite.com/graphics/rb-bak6.jpg";
  94: my $bgproperties = "fixed";
  95: ##########################################################################
  96: my $date = `$date_prog '+%D %H:%M:%S'`;
  97: my $salt = "US";
  98: my %in = &getcgi;
  99: 
 100: if ($in{'url'} eq "passwd") { &passwd; exit; }
 101: 
 102: # Check for presence of Cookie and Parse info into $in
 103: if ( (cookie('pass')) && (cookie('name')) ) {
 104:    $in{'name'} = cookie('name');
 105:    $in{'pass'} = cookie('pass');
 106: }
 107: 
 108: # Check for presence of Access File and Parse info into name and password
 109: if ($multi_in == 1) {
 110:   open (DATA, "<$accessfile") or access_error and exit;
 111:   while(<DATA>){
 112:     chomp;
 113:     my ($acc,$accpass) = split'\|',$_;
 114:     if ( ($acc eq $in{'name'}) && ($accpass eq $in{'pass'}) ) {
 115:       $goodnick = $acc;$pass = $accpass;
 116:     }
 117:   }
 118:  close(DATA);
 119: 
 120: }
 121: # Check for img link and no password
 122: if ( ($in{'img'}) && ($in{'pass'} ne $pass) ) {
 123:   print header;
 124:   open(FILE,"$imgfile");
 125:   while(<FILE>) { print $_; }
 126:   exit;
 127: }
 128: # Make sure its a valid login then do commands
 129: if ( ($in{'name'} eq $goodnick) && ($in{'pass'} eq $pass) ) {
 130:   &send_mail;&log_in;
 131:   my $cookie_set1 = "Set-Cookie: name=$in{'name'}\n";
 132:   my $cookie_set2 = "Set-Cookie: pass=$in{'pass'}\n";
 133:   print $cookie_set1;
 134:   print $cookie_set2;
 135:   print header;
 136:   open (DATA, "<$datafile") or &data_error and exit;
 137:   while(<DATA>){
 138:     my ($key,$url)=split'\|',$_;
 139:     if($key eq $in{'url'}){
 140:       open(FILE,"$url");
 141:       while(<FILE>) { print $_; }
 142:       exit;
 143:     }
 144:     if($key eq $in{'img'}){
 145:       open(FILE,"$url");
 146:       while(<FILE>) { print $_; }
 147:       exit;
 148:     }
 149: 
 150:   }
 151:   close(DATA); &key_error; exit;
 152: }
 153: # Display Page For Login Error Due to bad pass
 154: elsif ( ($in{'pass'}) && ($in{'pass'} ne $pass) ) {
 155: 	&print_badlogin;exit;
 156: }
 157: # Display Page for Login Error Due to Bad Login Name
 158: elsif ( ($in{'name'}) && ($in{'name'} ne $goodnick) ) {
 159: 	&print_badlogin;exit;
 160: }
 161: # Put up page for user to login
 162: else {
 163: 	print header;&print_login;exit;
 164: }
 165: ##########################################################################
 166: # If Specified Send Email to Webmaster about UberSecure
 167: ##########################################################################
 168: 
 169: sub send_mail {
 170:  if ( cookie() ) { return 1; }
 171:   if ($send_mail == 1) {
 172:    if (-x $mail) {
 173:     open(MAIL, "|$mail");
 174:     print MAIL ("To: $to_email\n",
 175:                 "From: UberSecure_v1.1.0\n",
 176:                 "Subject: Login Detected by $in{'name'}\n",
 177:                 "User has logged in to UberSecure v1.1.0\n\n",
 178:                 "$ENV{'REMOTE_ADDR'} (with $ENV{'HTTP_USER_AGENT'})\n\n",
 179:                 "$date\n",
 180:                 "  Name: $in{'name'}\n");
 181: 	if ($email == 1) {
 182: 	  print MAIL "  E-mail: $in{'email'}\n";
 183: 	}
 184: 	close(MAIL);
 185:   }
 186:  }
 187: }
 188: sub send_mail_badurl {
 189:  if ($send_mail_badurl == 1) {
 190:   if (-x $mail) {
 191:    open(MAIL, "|$mail");
 192:    print MAIL ("To: $to_email\n",
 193:                "From: UberSecure_v1.1.0\n",
 194:                "Subject: Bad URL Key Attempt at $in{'url'}$in{'img'}\n",
 195:                "$in{'name'} has logged in to UberSecure v1.1.0
 196:                                             to access --\> $in{'url'}\n\n",
 197:                "Unfortunately $in{'url'}$in{'img'} does not exist
 198:                                             in your data file.\n\n",
 199:                "$ENV{'REMOTE_ADDR'} (with $ENV{'HTTP_USER_AGENT'})\n\n",
 200:                "$date\n",
 201:                "  Name: $in{'name'}\n");
 202: 	if ($email == 1) {
 203: 	  print MAIL "  E-mail: $in{'email'}\n";
 204:    }
 205:    close(MAIL);
 206:   }
 207:  }
 208: }
 209: ##########################################################################
 210: # Display Error Page if The Password is Incorrect
 211: ##########################################################################
 212: 
 213: sub print_badlogin {
 214: &logerror("Login attempt for $in{'name'} Invalid Attempt");
 215: print header;
 216: begin_html("Bad Login Information to $pagename");
 217: 
 218: print <<"html";
 219: <center>
 220: <font size=5>Login Error to: <b>$pagename</b><br><br>
 221: </font>
 222: Please try your Login again!  <a href="$thisscript?url=$in{'url'}">click here!</a>
 223: </center>
 224: html
 225: print end_html;
 226: exit;
 227: }
 228: ##########################################################################
 229: # Display Login Page if No Login/Pass In Cookie
 230: ##########################################################################
 231: 
 232: sub print_login {
 233:   begin_html("Login to $pagename");
 234:   print "<font size=5>Please login to <u>$pagename</u></font>";
 235:   print start_form(-method=>'post',
 236: 			    -action=>"$thisscript?url=$in{'url'}");
 237:   print textfield(-name=>'name',
 238: 			    -size=>25,
 239: 			    -maxlength=>25);print " Login Name<BR>";
 240:   if ($email == 1) {
 241:   print textfield(-name=>'email',
 242: 				-size=>25,
 243: 				-maxlength=>25);print " Email Address<BR>";
 244:   }
 245:   print password_field(-name=>'pass',
 246: 				-size=>25,
 247: 				-maxlength=>25);print " Login Password<BR><BR>";
 248: 
 249:   print hidden(-name=>'url',
 250: 			     -default=>$in{'url'});
 251: 
 252: 
 253:   print submit(-name=>'Submit',
 254:     			-value=>'Submit');
 255: 
 256:   print endform;print end_html;
 257:   exit;
 258: }
 259: ##########################################################################
 260: # Parse Information sent thru the URL Command line into $in{}
 261: ##########################################################################
 262: 
 263: sub getcgi {
 264:     my $cgi = CGI->new();
 265:     my %in = %{$cgi->Vars};
 266:     if ($in{'pass'}){$in{'pass'} = crypt($in{'pass'}, $salt);}
 267:     return %in;
 268: }
 269: 
 270: sub logerror {
 271:   if (! -e "$log_file") {
 272: 		open(FILE, ">$log_file");
 273: 		print FILE "File START $date\n";
 274: 		close(FILE);
 275:   }
 276:   if ($log == 1) {
 277: 	my $error = $_[0];
 278: 	open(FILE, ">>$log_file");
 279: 	print FILE "ERROR: $ENV{'REMOTE_ADDR'} (with $ENV{'HTTP_USER_AGENT'}) $date";
 280:    print FILE "  Name: $in{'name'}\n";
 281: 	if ($email == 1) {
 282: 		print FILE "  E-mail: $in{'email'}\n";
 283: 	}
 284:    if($in{'url'}){print FILE "  Error Msg: $error [?url=$in{'url'}]\n\n";}
 285:    if($in{'img'}){print FILE "  Error Msg: $error [?img=$in{'img'}]\n\n";}
 286: 	close(FILE);
 287:   }
 288: }
 289: 
 290: sub log_in {
 291:    if ($log == 1) {
 292: 	if (! -e "$log_file") {
 293: 		open(FILE, ">$log_file");
 294: 		print FILE "File START $date\n";
 295: 		close(FILE);
 296: 	}
 297: 	open(FILE, ">>$log_file");
 298: 	print FILE "LOGIN: $ENV{'REMOTE_ADDR'} (with $ENV{'HTTP_USER_AGENT'}) $date";
 299:    print FILE "  Name: $in{'name'}\n";
 300: 	if ($email == 1) {
 301: 		print FILE "  E-mail: $in{'email'}\n";
 302: 	}
 303:    if($in{'url'}){print FILE "  Command: ?url=$in{'url'}\n\n";}
 304:    if($in{'img'}){print FILE "  Command: ?img=$in{'img'}\n\n";}
 305: 	close(FILE);
 306:    }
 307: }
 308: 
 309: ##########################################################################
 310: # Display Error Page if Specified Key is not in Data File
 311: ##########################################################################
 312: sub key_error {
 313: &send_mail_badurl;&logerror("Specified Key Not Found");
 314: my $show;
 315: if($in{'img'}){$show = $in{'img'}};
 316: if($in{'url'}){$show = $in{'url'}};
 317: begin_html("Error - Specified Key Not Found");
 318: 
 319: print <<"EOF";
 320: <p><font size="+5"><b><font face="Geneva, Arial, Helvetica, san-serif">
 321: ERROR 404</font></b></font></p><p><font face="Verdana, Arial, Helvetica,
 322:  sans-serif" size="4">URL Location Not Found - <b>$show</b></font></p>
 323: <p>Email the <a href="mailto:$to_email">WebMaster</A> and let them know!</p>
 324: <p>&nbsp;</p>
 325: <p>&nbsp;</p>
 326: <p>&nbsp;</p>
 327: <p><font face="Verdana, Arial, Helvetica, sans-serif" size="-1">
 328:     UberSecure v1.3.0 by <a href="
 329:     mailto:UberDragon13\@Yahoo.com?subject=UberSecure%20v1.3.0%20-%20$thisscript">
 330:     UberDragon13\@Yahoo.com</a></font></p>
 331: EOF
 332: print end_html;
 333: exit;
 334:  }
 335: ##########################################################################
 336: # Display Error Page if Data File is Missing
 337: ##########################################################################
 338: 
 339: sub data_error {
 340: &logerror("Missing Data File at $datafile");
 341: begin_html("Error - Missing Data File");
 342: print <<"EOF";
 343: <p><font size="+5"><b><font face="Geneva, Arial, Helvetica, san-serif">
 344: ERROR 404</font></b></font></p><p><font face="Verdana, Arial, Helvetica,
 345:  sans-serif" size="4">DataFile Not Found - <b>$datafile</b></font></p>
 346: <p>Check your configuration in UberSecure.cgi and verify the file exists
 347:   where the path says it does.</p>
 348: <p>&nbsp;</p>
 349: <p>&nbsp;</p>
 350: <p>&nbsp;</p>
 351: <p><font face="Verdana, Arial, Helvetica, sans-serif" size="-1">
 352:     UberSecure v1.3.0 by <a href="
 353:     mailto:UberDragon13\@Yahoo.com?subject=UberSecure%20v1.3.0%20-%20$thisscript">
 354:     UberDragon13\@Yahoo.com</a></font></p>
 355: EOF
 356: print end_html;
 357: exit;
 358: }
 359: ##########################################################################
 360: # Display Error Page if Access File is Missing
 361: ##########################################################################
 362: 
 363: sub access_error {
 364: &logerror("Missing Access file at $accessfile");
 365: print header;
 366: begin_html("Error - Missing Access List File");
 367: print <<"EOF";
 368: <p><font size="+5"><b><font face="Geneva, Arial, Helvetica, san-serif">
 369: ERROR 404</font></b></font></p><p><font face="Verdana, Arial, Helvetica,
 370:  sans-serif" size="4">AccessFile Not Found  - <b>$accessfile</b></font></p>
 371: <p>Check your configuration in UberSecure.cgi and verify the file exists
 372:   where the path says it does.</p>
 373: <p>&nbsp;</p>
 374: <p>&nbsp;</p>
 375: <p>&nbsp;</p>
 376: <p><font face="Verdana, Arial, Helvetica, sans-serif" size="-1">
 377:     UberSecure v1.3.0 by <a href="
 378:     mailto:UberDragon13\@Yahoo.com?subject=UberSecure%20v1.3.0%20-%20$thisscript">
 379:     UberDragon13\@Yahoo.com</a></font></p>
 380: EOF
 381: print end_html;
 382: exit;
 383: }
 384: ##########################################################################
 385: # Begin the HTML Document
 386: ##########################################################################
 387: sub begin_html {
 388: print start_html(           -title=>$_[0],
 389: 			    -meta=>{'author'=>'UberSecure HTML Generator',
 390: 			            'copyright'=>'copyright 2002 UberSecure'},
 391: 			    -BGPROPERTIES=>$bgproperties,
 392:              -BACKGROUND=>$background,
 393: 			    -BGCOLOR=>$bgcolor,
 394: 			    -TEXT=>$text,
 395: 			    -LINK=>$link,
 396: 			    -VLINK=>$vlink,
 397: 			    -ALIGN=>'center',);
 398: }
 399: ##########################################################################
 400: # Subroutine to help admin encrypt the user file password data
 401: ##########################################################################
 402: sub passwd {
 403:   if ($in{'htname'}) {
 404:    if ($in{'htpass'} ne $in{'htpass2'}) {
 405:       print header;
 406:       begin_html('Password Mismatch');
 407:       print <<"EOF";
 408:       The two passwords you entered DO NOT match!<BR><BR>
 409:       <a href="$thisscript?url=passwd">Click Here</a> To try again.
 410: EOF
 411:       print end_html;
 412:       exit;
 413:    }
 414:    elsif(($in{'htname'}) && ($in{'htpass'})) {
 415:       print header;
 416:       begin_html('Encrypted Results');
 417:       my $htpass = crypt($in{'htpass'}, $salt);
 418:       print <<"EOF";
 419:       Simply Copy/Paste the Encrypted Line to your uberaccess.txt<BR><BR>
 420:       Please NOTE There is no known way to decrypt() this Password!<BR>
 421:       Make sure your User remembers his/her password.<BR><BR>
 422:       Encrypted Access line for <code>User[<u>$in{'htname'}</u>]</code>
 423:       with the <code>password[<u>$in{'htpass'}</u>]</code> is:<BR><BR>
 424:       <h1>$in{'htname'}|$htpass</h1>
 425: EOF
 426:       print end_html;
 427:       exit;
 428:    }
 429:   }
 430:   print header;
 431:   begin_html('Get Encrypted Password');
 432:   print "Fill out this form to produce the encrypted
 433:           password line in your uberaccess.txt<BR>Note: Login Names and
 434:           Passwords are <u>case sensitive</u>!";
 435: 
 436:   print start_form(-method=>'post',
 437: 			    -action=>"$thisscript?url=passwd");
 438: 
 439:   print textfield(-name=>'htname',
 440: 			    -size=>25,
 441: 			    -maxlength=>25),
 442: 			    " Enter Login Name<BR><BR>";
 443: 
 444:   print password_field(-name=>'htpass',
 445: 				-size=>25,
 446: 				-maxlength=>25),
 447: 				" Enter Desired Password<BR><BR>";
 448: 
 449:   print password_field(-name=>'htpass2',
 450: 				-size=>25,
 451: 				-maxlength=>25),
 452: 				" RE-Enter Desired Password<BR><BR>";
 453: 
 454:   print hidden(-name=>'url',
 455: 			     -default=>'passwd');
 456: 
 457: 
 458:   print submit(-name=>'Get Encrypted Line',
 459:     			-value=>'Get Encrypted Line');
 460: 
 461:   print endform, end_html;
 462:   exit;
 463: 
 464: }
 465: 
 466: ##########################################################################
 467: # End of Program
 468: ##########################################################################
 469:

Comment on html/file security cgi [revisited] Select or Download Code

Replies are listed 'Best First'.

Re: UberSecure v1.5.2
by cjf (Parson) on May 13, 2002 at 12:02 UTC

Please take a look at Essential CGI Security Practices.

[reply]

Re: lame site security cgi
by davorg (Chancellor) on May 14, 2002 at 07:43 UTC

Others have commented at great length on the shortcomings of your program, so 'm not going to add to that.

I'm interested in knowing how you picked up so many bad habits. How did you learn Perl? Did you teach yourself from reading a book? Or did you find a tutorial on the web? Or were you taught by someone who claimed to know Perl, but obviously doesn't?

I'm very interested in finding out how people learn bad Perl so that we can work on replacing the resources that they use with better ones, so any information that you can give me would be great.

http://www.dave.org.uk

"The first rule of Perl club is you do not talk about Perl club."
-- Chip Salzenberg

[reply]

how I learned perl

by UberDragon13 (Acolyte) on May 14, 2002 at 16:27 UTC

[reply]

Re: how I learned perl

by rinceWind (Monsignor) on May 14, 2002 at 17:04 UTC

UberDragon13

Here are a few tips for getting the best out of this site. Firstly, you may have found that the code you posted has earned a number of -- points. Don't take this to heart as it's just a (fairly meaningless) number after all.

There are two tools it would be a good idea how to find out how to use:

The Chatterbox (CB). Here, you can ask questions about pretty much anything - they don't even have to be Perl related (but I guess you are already familiar with IRC). The /msg facility is useful for posting a message to an individual off list. This is much better than posting flame, which will earn you considerably more -- votes and lose you more respect than duff code.
Remember, anything you post as replies is public. Anything sent via /msg is essentially a private conversation.
Open up your personal scratchpad. Click on your name, and "Edit your user information". Here is something which is _yours_ and public, but you will not be judged and downvoted on it. It is a good place to post code for review - the worst you will get is sarcasm on the CB.

Also, have a good look around the site, read the FAQs, do some searches on topics of interest. In particular, check out the links other monks have given you in reply - this will take you to some quit informative articles both inside and outside the site.

You will find that this is one of, if not the best Perl forum on the Internet.

rinceWind

[reply]

Re: how I learned perl

by davorg (Chancellor) on May 14, 2002 at 18:15 UTC

I have used a large variety of resources to learn perl. This includes books, websites, code snooping etc.

The problem is that like just about everything else, 90% of Perl books and Perl tutorial websites are rubbish. One problem that I'm very interested in is how we in the Perl community steer potential Perl converts to all the good information before they find all of the rubbish.

You've obviously found Perlmonks, which is a good start. I'd also recommend that you look at perl.com and use.perl; on a regular basis.

As far as books go. The wisdom of the Perl community is gathered in perlfaq2. Try typing perldoc -q book at you command line.

http://www.davee.org.uk

"The first rule of Perl club is you do not talk about Perl club."
-- Chip Salzenberg

[reply]

Be Nice To Newbies!
by mt2k (Hermit) on May 16, 2002 at 00:57 UTC

Yes, I approved this node when it seems that no one else would. Why? Because if you would look, this is only his 1st post here on perlmonks. This is also his 2nd script as a scripter, and if you ask me, it's not so bad! Maybe insecure, could use a few modules instead of some of that code, makes the screen width a little huge, and could use a general clean up, but that's no reason to put him to -20 (before I ++ him)!
Since when are we so harsh on people new to the perl language? Are we trying to keep the language to ourselves by discouraging others from attempting to learn it? I say bravo Uber! I wish I had been able to create such a script (even if it does need work) on my second try at the language. I believe my first script was a 3-liner or something!
I would like to welcome you to the site UberDragon13 and to the Perl language. I sincerely hope that you are not discouraged by what some people have told you here. Programming is fun and I think that everyone has a right to try it out and learn it! I'd like to see the second script written by those that criticized your skills. Bet theirs weren't so great either.
Like the others (the nicer people) have suggested, do some reading up on some of those modules and learn how they can make life much easier.

There, that's my 10000 cents.

[reply]

Re: Be Nice To Newbies!

by UberDragon13 (Acolyte) on May 16, 2002 at 08:11 UTC

use strict;

[reply]
[d/l]
[select]

Re: UberSecure v1.5.2
by Anonymous Monk on May 13, 2002 at 11:35 UTC

-T

-w

use warnings;

use strict;

"C"

"F"

[reply]
[d/l]
[select]

Re: Re: UberSecure v1.5.2

by educated_foo (Vicar) on May 14, 2002 at 19:38 UTC

Seriously, why does abusive crap like this get modded up? I can't see it as anything more than a waste of bandwidth. And many of the other posts in this thread are little better -- the pointers to existing modules and resources are certainly useful and appropriate, but there's no need to liven them up with comments like "explain why you suck." Reminds me of the bad parts of usenet sometimes. We can do better.

[reply]

Re: html/file security cgi
by jynx (Priest) on May 17, 2002 at 01:15 UTC

(a few random, specific things in no particular order)

rather than use an outside time program (/bin/date) you can use localtime. This will avoid a shell call which is usually a Good Thing(tm).
never, never, never set a file to 777 permissions. There are too many ways that a universally writeable file can be abused, just don't do it. 644 is better.
For your print statements, you can bundle like things by comma-seperating them rather than using individual print statements.
You should use cgi's methods for getting the arguments passed to the script. Realizing you're already heard use CGI or die many times, i'll give you a reason: You're not restricting content length. A cracker could easily use that to break into the system. Parsing cgi arguments correctly is very difficult, (ab)using CGI is much easier.
It would probably be better to store the single-user password in the access.txt file. Storing passwords is in general a bad idea, but there's only so much you can do to circumvent that problem when doing cgi work (storing them in the script is not a good option)
If you can find a way (at a later date) to use a random salt, that would be better than hardcoding one. Much more secure. You can find an example of how to create one on crypt's perldoc page.
You don't check to see if you actually opened the log file. What if you failed? Currently you continue as if nothing went wrong. Should you die? Warn others? Whether you fail gracefully or gracelessly, you should do something when you fail...
A very minor nit, but possibly useful. Rather than saying:
if (($in{'name'})&& etc...
it seems better (monks correct me if i'm wrong) to use exists here:
if (exists($in{'name'}) && etc...
to reiterate a few others, strict and warnings are useful. Also, test your script out on command line before putting it in cgi_bin. That will help clear out a lot of other possible pitfalls early as well...
Lastly, @_ is your friend. Argument passing is an excellent thing to learn, and using strict will become much easier once you stop using globals.

As for coding, don't try to implement a lot of changes at once (assuming you're still making changes). It's just a bad idea (unless you're a real programmer like mel ;-). Whatever changes you plan to implement, make them 1 at a time. And if you can stomach it, you should probably post the next (major) revision to Seekers of Perl Wisdom if you plan on asking for further advice. You'll probably receive more help there.

jynx

[reply]
[d/l]
[select]

Re: UberSecure v1.5.2
by vladb (Vicar) on May 13, 2002 at 17:24 UTC

HTML::Template
CGI

UPDATE:

particle

UPDATE 1:

UberDragon13

"There is no system but GNU, and Linux is one of its kernels." -- Confession of Faith

[reply]

UberSecure v1.5.2 comments

by UberDragon13 (Acolyte) on May 13, 2002 at 21:45 UTC

[reply]

Re: UberSecure v1.5.2 comments

by cjf (Parson) on May 14, 2002 at 02:56 UTC

Hello, just a few suggestions to help you improve upon this code:

use CGI or die; - A few reasons why you should use the CGI.pm module instead of rolling your own.
Using strict.pm will save you a lot of time down the road.
As I pointed out earlier, make sure to read up on security. If you only remember one thing, make sure it's Don't Trust User Input.
Add the -w flag (or use warnings;) to enable warnings. They'll help you catch silly mistakes and reduce your debugging time.

For added points, remove the "Do not edit without permission." statement. If you're posting code to get advice on how to improve it, the least you can do is allow others to use and modify it.

Other minor annoyances:

The title - "UberSecure" this script isn't. Not by any stretch of the imagination. When you're learning and unsure of a script's quality, better to stick with a different title.
Version number - I'm curious where "Version 1.5.2" came from. This number shouldn't just be picked out of the air, it should be representative of the stability of the code. Read the Software Release Practice HOWTO for more details on good release practices.

Hope this helps and best of luck with your future postings :).

[reply]
[d/l]