Just a thought...

It appears that you need the server to step in here!

Controlling access to the directories and files is it's job. Even though, we may have to help it out as much as possible, it is still the up to the server to handle this.

We do this by placing an empty index.html, default.html or whatever your server requires as the natural "default" file to load if the directory is accidentally accessed by itself. The html file should have the head, title, body tags (with or without a message) and the proper closing tags as well. This just gives them a blank page in their browser.

Also, look at placing a -Indexes and other directory access controlling allow/deny parameters in a separate .htaccess file in ANY directory you do not want the server to return a listing of, to a browser. Your scripts run under a different id/permission and can bypass the .htaccess .

http://httpd.apache.org/docs/1.3/howto/htaccess.html is a good reference link to read more on this subject.

Ahhh, but they may be nosy and know the pattern and type it in directly, including the logfile name

To solve this, combine the first cgi that handles the login and returns a filtered list of the files you want them to see with an .htaccess file the directory to serve a 403 Forbidden on a direct - directory access

Using the second cgi script activated by the link/s to get and spit out the logfile results. You can still meet the requirements of the soft links by linking to the new script that gets the data for the file the user chooses.

My only caution on this is to make sure that the path to the file is as hard coded as possible as you want to prevent Reverse Directory Transversal. You will have to do some pattern matching on the input to look for anything that is a \,.,../, or other cracking pattern/technique. If you do get a pattern match, deny any further execution of the script and make a separate log entry in a file for you to review later. Don't get caught up in filtering it out and substituting to be a nice guy, just deny the execution, make them go back and do it right. We don't want to help the wrong group of users here.

In reply to Re: Perl CGI - Viewing logfiles - Security Issues by Sagacity
in thread Perl CGI - Viewing logfiles - Security Issues by stumbler

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.