in reply to Ping from HTML

This seems like an excellent job for Java, given a recent post here with the title Java is the machine that goes "Ping!".

Sorry, absolutely off topic and not helpful at all, but I really couldn't resist ;-)

Given that you need an entry in the syslog, you'll have little choice but server side logic, I'd think. That means writing a simple CGI script. Here's a quick and dirty hack that shows the basic things to do. Cleaning it up is left as an exercise to the reader. Obviously the first thing to change is the $ping_cmd which is right for my Windows box but probably wrong for your machine.

No syslog entry though since you don't specify what OS this is supposed to run under. Have a look at CGI::Carp error redirection for a possible approach.

The HTML code to call it for a specific IP address would look like 

<a href="http://www.you.com/cgi-bin/ping.pl?ip=131.133.33.18">131.133.
+33.18</a>

[download]

Hope this helps, -gjb-

Update: As IlyaM points out, there are a number of security holes in this code. I'm not a web programmer (well, not since CGI.pm was invented), so I'd better refrain from answering web related questions. The first problem he mentions is very bad, I wouldn't have done that when I wrote CGI scripts years ago. I'll leave the code as is for educational purposes, but don't use it without heeding IlyaM's advice in the reply below.

#!perl

use strict;
use warnings;
use CGI qw( :standard );
use CGI::Carp qw( fatalsToBrowser );

my $ping_cmd = 'c:/WINNT/system32/ping';

my $query = CGI->new();
my $param = $query->Vars();

print header();
print start_html("Ping page");

if (exists $param->{ip}) {
    my $result = `$ping_cmd $param->{ip}`;
    print p("You try to ping $param->{ip}, the result is:",
            br(),
            pre($result));
} else {
    print p("No ip address specified in query");
}

print end_html();

[download]

Replies are listed 'Best First'.
Re: Re: Ping from HTML
by IlyaM (Parson) on Jan 06, 2003 at 13:26 UTC
[reply]
      First point++.
      On your second point, I wonder how neccassary it is to escape the output of the command. If someone has modified a system utility it's just as likely they could access the source of the CGI script as well...

      -Lee

      "To be civilized is to deny one's nature."
[reply]

        The problem is that attacker can modify ping's output without having direct access to this program. Example:

        ilya@juil:~$ ping www.aha.ru
PING distributed.zenon.net (195.2.91.103): 56 data bytes
     ^^^^^^^^^^^^^^^^^^^^^
64 bytes from 195.2.91.103: icmp_seq=0 ttl=120 time=69.3 ms
64 bytes from 195.2.91.103: icmp_seq=1 ttl=120 time=64.6 ms

        [download]

        Note that ping (at least its version on my Linux desktop) queries DNS to find canonic name of pinged host. Since attacker controls networking address of pinged computer and may potentialy control corresponding DNS server he can control this part of ping's output. In general if you use output of any networking program you must be extra careful about it. There are many ways how attacker can tamper it without having direct access to your computer.

        --
        Ilya Martynov, ilya@iponweb.net
        CTO IPonWEB (UK) Ltd
        Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
        Personal website - http://martynov.org

[reply]
[d/l]
Re: Re: Ping from HTML
by davorg (Chancellor) on Jan 06, 2003 at 13:09 UTC
    Obviously the first thing to change is the $ping_cmd which is right for my Windows box but probably wrong for your machine.

    If you're going to ping machines from a Perl script, why not use Net::Ping instead of an external program?

    --
    <http://www.dave.org.uk>

    "The first rule of Perl club is you do not talk about Perl club."
    -- Chip Salzenberg

[reply]

In Section Seekers of Perl Wisdom