security questions

noname00 has asked for the wisdom of the Perl Monks concerning the following question:

hi everyoone...
i have 2 questions

1. i made some scripts to generate dynamic pages.
the dynamic pages show data that some user entered before.
i want to give them the opportunity to type html code in their input.

for exapmle, when a user enters :
<b>hello</b>
the dynamic page will display
hello and not
<b>hello</b>
i was wondering if this could be a security bug,i see perlmonks.com allows to do this too, i guess is ok (except <script> tags and what else??)but i have to ask!

2. i have another perl script that includes some "administrator" functions ("functions.lib")
in this script there is no check if the user calling the function has the privilege to call it..
the check is done before, in a *.cgi script and if user has the privilege then the function is called from "functions.lib" ...
is there any way that someone could use functions directly from "functions.lib" ?
i should add check there too ?

the real question is this : if someone knew the code of my scripts you think he could find some hole?

thanx in advance monks!
always a pleasure to learn from you

Comment on security questions Select or Download Code

Replies are listed 'Best First'.
Re: security questions by Abigail-II (Bishop) on May 21, 2004 at 13:39 UTC
It all depends on what you consider "secure" and "insecure". Does it need to be secure for your server? For the submitter? For the user reading the 'dynamic pages'? For the browser displaying it? For the machine running the browser? if someone knew the code of my scripts you think he could find some hole? This question has the same answer as the question "does my script have some hole". Abigail	[reply]
Re: Re: security questions by noname00 (Novice) on May 21, 2004 at 13:47 UTC
secure for everyone and everything... ------------- if someone knew the code of my scripts you think he could find some hole? This question has the same answer as the question "does my script have some hole". ------------- lets say that the only security bugs are the ones described above	[reply]
Re: Re: Re: security questions by Joost (Canon) on May 21, 2004 at 14:06 UTC
Secure for everyone and everything can not be done in any system of a decent size. In practice, there is always a point where the cost of closing a potential hole will be so high that you'd be better off not implementing the feature. For instance: do you want to protect yourself against users putting up "illegal" content? (yes, there is such a thing, at least where I live) Other example: what about DOS attacks? It's a matter of risk vs usability vs cost of implementation. You really should read the OWASP guide if you want to know about more potential problemns. Joost "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply]
Re: Re: Re: Re: security questions by kutsu (Priest) on May 21, 2004 at 18:39 UTC
Re: security questions by Abigail-II (Bishop) on May 21, 2004 at 14:04 UTC
secure for everyone and everything... Nope. Just to name one thing, people could write huge articles, or include images that uncompressed take a large enough amount of memory that the displaying system runs out of memory. lets say that the only security bugs are the ones described above So, what does that mean for the answer of "does my script have some hole"? Figure that one out, and you have figured out the answer to "if someone knew the code of my scripts you think he could find some hole". Abigail	[reply]
Re: Re: security questions by noname00 (Novice) on May 21, 2004 at 14:15 UTC
Re: security questions by Abigail-II (Bishop) on May 21, 2004 at 15:08 UTC
Re: security questions by Joost (Canon) on May 21, 2004 at 13:49 UTC
Just rendering any user input in an html page without checks can be considered a security risk. Especially if that input is also viewed bij other users (so called cross site script attacks). For instance, see this article on perl.com. Your best bet is to disable as much as possible (only allow `<b>` and `<i>`, for instance) and HTML-escape the rest. Also note that not verifying user input can be a big risk if the called functions also don't check their input for sane values. You should make your "functions.lib" not accessible to browsers, then, as long as the .cgi script does good checks on who is calling what in the functions library, you'll be allright. Your insecurity about this issue makes me wonder, though. Can you show some code? the real question is this : if someone knew the code of my scripts you think he could find some hole? Not easy to say, since I haven't seen your code :-) The magic 8-ball says *very likely. Joost. "What should it profit a man, if he should win a flame war, yet lose his cool?"*	[reply] [d/l] [select]