I was go going to say iw as really surprised you could do the same thing but after analyzing more carefully my code i know how you inserted "aweirdentryinyourlog".

You did it like this: http://localhost/cgi-bin/index.pl?select=aweirdentryinyourlog

Nothing bad happened because this attempt falls inside the unless code block where my program exits. I have corrected it though and now the code looks like this: 

my @files = glob "$ENV{'DOCUMENT_ROOT'}/data/text/*.txt";
my @menu_files = map m{([^/]+)\.txt}, @files;
Encode::from_to($_, 'ISO-8859-7', 'utf8') for @menu_files;

print header( -charset=>'utf8' );
my $article = param('select') || "Welcome Page!";


if ( param('select') )  {  #If user selected an item from the drop dow
+n menu

   unless( grep /^\Q$article\E$/, @menu_files )  #Unless user selectio
+n doesn't match one of the valid filenames within @menu_files
   {
      if( param('select') =~ /\0/ )
      {
         $article = "*Null Byte Injection* attempted => $article";
         print br() x 2, h1( {class=>'big'}, $article );
      }
      elsif( param('select') =~ /\.\.\// )
      {  
         $article = "*Backwards Directory Traversal* attempted => $art
+icle";
         print br() x 2, h1( {class=>'big'}, $article );
      }
      else
      {
         my $message = "What Exactly Are You Up To With > $article < M
+ighty Hacker ?";
         print br() x 2, h1( {class=>'big'}, $message );
         $article = "*Hack Attempt* attempted => $article";
      }
      
      $update = $db->prepare( "UPDATE guestlog SET article=?, date=?, 
+counter=counter+1 WHERE host=?" );
      $update->execute( $article, $date, $host );
      
      exit 0;
   }

   Encode::from_to($article, 'utf8', 'ISO-8859-7');  #Convert user sel
+ected filename to greek-iso so it can be opened

   open FILE, "<$ENV{'DOCUMENT_ROOT'}/data/text/$article.txt" or die $
+!;
      local $/;      
      $data = <FILE>;
   close FILE;
   
   Encode::from_to($article, 'ISO-8859-7', 'utf8');  #Convert user sel
+ected filename back to utf8 before inserting into db 

   $update = $db->prepare( "UPDATE guestlog SET article=?, date=?, cou
+nter=counter+1 WHERE host=?" );
   $update->execute( $article, $date, $host );
}
else blablabla

[download]
Now i print to the hacker a funny message and this time i'am aware of whats in the log since i create the message to be logged.

Please if you have spare time see if you can pass any other bogus info on my script or perhaps you can open a file.

My major concern is this line, but as i have written it and especially attached the ".txt" assertion on the end i believe there cant be a possible attempt on opening a file stored in my hdd through my script.

Or Am i wrong?!

In reply to Re^2: Weird entry index my guestlog by Nik
in thread Weird entry index my guestlog by Nik

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.