Even with the double fork and chroot there're still a lot of potential security holes which are open, for example consider the following two fairly common attacks for a couple off the top of my head:
- Denial of service attacks: Make the machine talk to itself a lot.. use LWP::Simple; while (1) { get("http://localhost/something_intensive.cgi")} (bonus points for calling the the calculator again with the same effect), fork bombing with while (1) { fork }, or getting a list of the current user's active processes and kill -9'ing them.
- Mailing back details from your machine to the aggressor to get information for other attacks: Grab the script, grab the config files listed in the script, connect to the database with credentials from config file, delete all data or subtly corrupt it as you see fit. If this application has no config file there're probably other web apps on the machine who's config file you can get.
Basically this is the Whack-A-Mole kind of thing where you think of two avenues of attack and block them, the attacker thinks of a third and causes you pain. The kind of security provided by the
Safe module could be a step in the right direction but that'd need careful config, whereas the route means that the operations the user can execute are strictly restricted to a known-safe subset, and also means that the user can enter terms such as '2x2.23kg in lbs' which'd never run in Perl even with constants carefully defined.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.