I have tried to explain this to my boss but as I have not yet proven my perl skills (which are somewhat limited) and this is not what I was employed for anyway, they were more than a little hesitant to listen to me.
This is not a Perl question. It's general secure programming practice; whether the CGI program is written in Perl, C, Lisp, bash or any other language wouldn't matter here, the issue at heart is that it was written to trust user input.
Explain to your boss that the problem is really serious. Ask them if they would agree to be given a demonstration. Cover your back at every step of the road in case you are unjustly reproached at a later date: get written confirmations whenever possible and try to always have a coworker come along to meetings. Do not go ahead and just make a demonstration. If necessary, offer to do so in spare, unpaid time. If you are given the go-ahead, make several demonstrations: the boss may lack the technical understanding to deduce how far reaching the problem really is if you only make a single one. Come up with serious attacks; deface the site, fiddle with /etc/passwd etc; whatever comes to mind. Make sure, obviously, to back up the altered files prior to the demonstration. If you are refused the chance to explain, at least make sure you can prove you did what could be expected of you so that if any damage happens, the responsibility is with those who dismissed your concerns.
Good luck.Makeshifts last the longest.
In reply to Re: The danger of hidden fields
by Aristotle
in thread The danger of hidden fields
by Gerard
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |