Script security

JayBee has asked for the wisdom of the Perl Monks concerning the following question:

I was just browsing my new site (linux/unix server), checking my perl programs with MSIE6 with Win2k.pro and suddenly, out of the blue, I got a system popup as if I requested to download a file. This file was from a completely different set of programs that I hadn't even used for about 3days.

What do you think caused it and is there a way to prevent this from happening again? Like anyone, there's alot of things I want protected, like passwords etc. for my site and SQL, that could potentially be in one of my scripts.

Is CHMOD 755/555 the absolute minimum (and workable)? Should I also CHMOD the directory?

If I could password protect the directory, could I still link into the files in that directory (cgi-bin)?

p.s. I havn't wrote any programs for downloading any files either, so it wouldn't be a likely cause.

Thank you in advance... JayBee

UPDATE:

the file was a ~.cgi file

I am using the highest class of Canaca's virtual hosting

My windows does have a firewall and I update atleast every month

There are many problems with my Win2k, but still the server should not allow that...

Comment on Script security

Replies are listed 'Best First'.
Re: Script security by allolex (Curate) on Feb 10, 2004 at 11:14 UTC
I suspect this doesn't have anything to to with Perl per se, but you will probably benefit from installing a personal firewall like Tiny Firewall or Zone Alarm on your Windows system. A firewall can prevent communication you do not want taking place Also, make sure you have all system updates installed. CGI Programming with Perl, 2nd Edition, Chapter 8 is a good place to start for general (and specific) CGI security questions. -- Allolex	[reply]
Re: Re: Script security by Anonymous Monk on Feb 10, 2004 at 17:22 UTC
Some 'free hosts' use active X downloads to generate revenue from their user's web sites ( not sure if that may apply in this case).	[reply]
Re: Script security by Berik (Sexton) on Feb 10, 2004 at 11:00 UTC
For the download thing: What type of file was it? Is it a file that should be dowloadable, or must it be protected? Was the file located at the server? Is it possible you hit enter while you where searching through the url's you visited before? For the security: Not only the permissions should be set, also you webserver must be configured right. If your webserver is configured to send .cgi files as text/plain, everybody can read you source code. If you don't want that, you should set your webserver's configuration so that .cgi files get executed. Next, if you are on a public server, your password will probably not be secure. You can hide the password in a file in an obscurely named directory, but still you need to put that location in your script. If your scripts runs setuid to your userid, there's no problem, just put the password in some file and make sure the permissions are set so nobody but you can read it. --- Berik	[reply]
Re: Script security by b10m (Vicar) on Feb 10, 2004 at 14:19 UTC
I have no clue what you mean with "and suddenly, out of the blue, I got a system popup as if I requested to download a file.", but I guess you might like to check out a recent node about securing files on public servers: Securing your scripts on webhoster's server -- b10m All code is usually tested, but rarely trusted.	[reply]
Re: Script security by Vautrin (Hermit) on Feb 10, 2004 at 16:18 UTC
There are a number of known security holes in Win2k that may have caused your problems. (i.e. if you have the messanging service enabled and your computer is targeted). Also, if you have spyware / adware installed if could have created a pop up unrelated to your site. I'm not saying you shouldn't care about web security, but are you sure that this is related to your server and not your computer? Want to support the EFF and FSF buy buying cool stuff? Click here.	[reply]