I've got a bunch of programs that handle a website I'm working on, one of which is a main "server" program. It basically gets a single parameter: page location (for example: http://.../serve.pl?page=/perl/index.html). This works very nicely.

Have you tried your script to see how ‘nicely’ it works with pages that aren't in your document directory. You don't want things like this to work:

• http://.../serve.pl?page=/etc/passwd
• http://.../serve.pl?page=../../../../../../etc/passwd

You'd improve security if you just passed in the basename of the file as the CGI parameter, with the path and extension being hardcoded in the Perl script and added there.

But even that may not be secure. Do not put your site live without checking the vulnerabilities mentioned in this Phrack article. This still applies even if you go for URL rewriting as suggested in other answers.

Smylers