Hello everyone You are all being very helpful and some have asked what the purpose of this script is. Digital junkyard is correct but it was not copied. Rather, back in 2000 it was custom written for us by a CGI programmer and we have been using it along with a more modern php version for a long time, hence the outdated codes. Many of you will frown upon what I am about to tell you but please bear in mind that we have been running our shopping cart this way since Google was a corporal. Here is what happens. The site is all SSL using https, all pages are PHP. We sell niche configurable custom made products that we need to be able to check manually and often times have to correct with the customer to make them producible in the way they want them. It's complicated. If we use a gateway to process cards we will be constantly issuing credits or adjustments to the total price, so instead, we take all the details of the order and the customer payment info and encrypt it using GnuPg on the server. To accomplish this we use the perl script to interact with GnuPg by sending the details of the order to the script. After encryption, the script emails the result to us and we decrypt it on this end with the private key. We then store the decrypted information on a password protected machine that is not networked. Lately, I have been seeing some direct access to the script from browsers. There are no parameters being passed to it and the only way for the script to run is from the forms that check for the presence of the parameters being not empty. I am therefore assuming that someone is trying to hack the script. I may be totally off base and yes the script is old but I am not a perl programmer. I can write simple PHP and am good at vanilla JS and jQuery, HTML5. Here is the total script with sensitive information xxxxxxxxxx'd out. I would appreciate any help the monks can give with this junkyard dog. 
#!/usr/bin/perl -T

use CGI::Carp qw(fatalsToBrowser);

use CGI qw/:standard/;       #   load cgi (functions for using forms a
+nd generating HTML)
   $CGI::POST_MAX=10240;     #   limit data to 10k
   $CGI::DISABLE_UPLOADS =1; #   prevent file uploads with this script
+ :/
use Fcntl qw(:flock);        #   file lock used by the order counter

 
my $serv = $ENV{'SERVER_NAME'};
my $ip   = $ENV{'REMOTE_ADDR'};
my $brow = $ENV{'HTTP_USER_AGENT'};
my $ref  = $ENV{'HTTP_REFERER'};

$ENV{PATH}      = "/usr/sbin/sendmail -t -i";        #for sendmail



my $text= param("order");    #   The text of the order  hopefully
my $email= param("email");    #  The address for confirmation hopefull
+y
my $totals= param("totals");    #  The order totals

# sends us an email with customers email in case an order somehow does
+ not get processed correctly
$to = 'xxxxxxxxxxxxxxxxxxxxxxx';
$from = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
$subject = 'A customer has placed an order';
$message = 'Email of user= '.$email;

open(MAIL, "|/usr/sbin/sendmail -t");

# Email Header
print MAIL "To: $to\n";
print MAIL "From: $from\n";
print MAIL "Subject: $subject\n\n";
# Email Body
print MAIL $message;
close(MAIL);


#print "Content-type: text/html\n\n";
#print $text; 
#exit;

# send to error page if no params detected. 
if (!$text)
{
   # there was an error we did'nt get any text
   # do error stuff here
   print redirect("/Order_error.php");
   exit;
}


$text.= "\n\n---------------------------------------\n\n" .
    "Server    : $serv\n" .
    "Browser   : $brow\n" .
    "IP        : $ip\n" .
    "Ref       : $ref\n\n";
#print $text;
#exit;



  # $gpg_exe    program to send data to                 -- in this cas
+e gpg
  # $gpg_opts   commandline arguments for program       -- in this cas
+e encrypt using xxxxxxxx key
  # $output_file   file name/path to recieve result


$gpg_path = "/usr/bin/gpg";
$gpg_options = "--homedir /home/xxxxxxxxxxx/.gnupg --no-permission-war
+ning --no-use-agent --batch --no-version --no-tty --always-trust --en
+crypt --textmode --armor --default-recipient xxxxxxxxxxxxxxxxxxxxxxxx
+";
$gpg_public_key_user_id = "xxxxxxxxxxxxxxxxx";


my $rnum= 1;
my $out_file  = "/home/xxxxxxxxxxxxxx/public_html/cgi-bin/encPGP/".get
+_date() ;
while(-e "$out_file$rnum") {$rnum++;}
$out_file = "$out_file$rnum";

#print $out_file;


$gpg_command =  "$gpg_path $gpg_options ";
$gpg_command .= "-r $gpg_public_key_user_id ";
$gpg_command .= ">$out_file";

open (gpgCOMMAND, "|$gpg_command");
  print gpgCOMMAND $text;
  close (gpgCOMMAND);

  open(gpgOUTPUT, $output_file);

  while (<gpgOUTPUT>) {
    $gpg_output .= $_;
  }

  close (gpgOUTPUT);
  unlink($output_file);
  #return($gpg_output);
#1;



my $date = get_date();
open (SLS, "| /usr/sbin/sendmail -t -i");
print SLS "To: xxxxxxxxxxxxxxxxxxxxxxxxx\n";
print SLS "From: ".$email."<".$email.">\n";
print SLS "Subject: Online Order $date\n\n";

my $gpg_out="";
open(gpgOUTPUT, $out_file);
    while(<gpgOUTPUT>) {
        $gpg_out .= $_;
    }
close (gpgOUTPUT);
print SLS $gpg_out;
close (SLS);
    open (USR, "|     /usr/sbin/sendmail -t -i");        
    print USR "To: ".$email."\n";
    print USR 'From: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'."\
+n";
    print USR "Subject: Online Order : $date\n\n";
    print USR "Thank you for shopping at xxxxxxxxxxxxxxxxxxxxxxxx\n";
    print USR "Your order has been received and is being processed.\n\
+n";
    print USR "You will receive a confirmation email containing your o
+rder details within\n";
    print USR "24 hours, weekends and holidays excepted.\n\n";
    print USR "Order Dept.\n";
    print USR "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n";
    print USR "Toll Free xxxxxxxxxxxxxxxxxxx\n";
    print USR 'Email: xxxxxxxxxxxxxxxxxxxxxxxx.com';
    print USR "\n\n";
    close(USR);

my $url="/Order_Successful.php?v=".$totals;
my $t=1; # time until redirect activates
print "Content-type: text/html\n\n";
print "<META HTTP-EQUIV=refresh CONTENT=\"$t;URL=$url\">\n";



 sub get_date()
  {
    my($sec,$min,$hour,$mDay,$mon,$year,$wday,$yday,$isdst) = localtim
+e(time);
    $year = $year + 1900;
    my @month = ("Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep"
+,"Oct","Nov","Dec");
    my $date1 = "$mDay"."_$month[$mon]_$year"."_";
    return $date1;
  }

  sub get_order_num()
  {
      # reads the number of orders from a file with locking and error 
+checking
      # and adds one to it
    sysopen(FH, "/home/xxxxxxxxxxxxxxxxx/cgi-bin/encPGP/order_cnt.txt"
+, O_RDWR|O_CREAT) or return(-1);
    flock(FH, LOCK_EX)                  or return(-1);
    my $num = <FH> || 0;
    seek(FH, 0, 0)                  or return(-1);
    truncate(FH, 0)                  or return(-1);
    (print FH $num+1, "\n")             or return(-1);
    close FH                      or return(-1);
    
    return($num);
  }

[download]

In reply to Re: prevent perl script running from browser by snowchild
in thread prevent perl script running from browser by snowchild

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.