Re: Retrieval of script values

In general, it's impossible for people on the internet to discover the value of a variable within a perl program acting as a CGI. However, if that program is placed in a directory that is listed on the server as being a directory for web pages rather than CGI programs, it may be possible for anyone to view your program and so learn the value of the $seron variable. Also, if the program is poorly written it could reveal the value of that variable as well.

duff

Comment on Re: Retrieval of script values Download Code

Replies are listed 'Best First'.
Re: Re: Retrieval of script values by Roger (Parson) on Jan 20, 2004 at 02:55 UTC
Also, if the program is poorly written it could reveal the value of that variable as well Hi duff, do you have an example to show a badly written script? One way I can think of is when the script is invoked as a get, and the next page it generates has `http://site.com/cgi-bin/script.pl?seron=blahblah` in the URL.	[reply] [d/l]
Re: Re: Re: Retrieval of script values by Cody Pendant (Prior) on Jan 20, 2004 at 04:26 UTC
Another example would be if you used CGI::Carp for debugging and didn't remove it from production code and it helpfully said "can't open /path/to/file, /path/to/script.cgi line 99" or the like when it hit a problem. ($_='kkvvttuubbooppuuiiffssqqffssmmiibbddllffss') =~y~b-v~a-z~s; print	[reply]
Re: Re: Re: Retrieval of script values by duff (Parson) on Jan 20, 2004 at 17:49 UTC
I don't have a particular example, but I can think of all sorts of ways a program could be written to reveal parts of its own source. Your GET example is quite common though (I've seen it in at least one persons graduate project!). Debugging code inadvertantly left in, the program is actually designed to print its own source, the variable's value is displayed as part of an error message, the value is put in a "hidden" field, etc. There are a wide variety of ways to screw things up :-) duff	[reply]