Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

How secure are my CGIs? As I understand it, most web-based Perl CGI's have to have their permisions set to 0755 in order to work. (All of mine do at least).

Is it fairly trivial to download the source of the typical web-based Perl CGI using a web browser or a pseudo-web browser (i.e. a homemade web-client (possibly written in Perl) or TELNETing into a site and issuing HTTP commands)?

Any attempts I have made at downloading my own scripts or others via a real web browser have resulted in my downloading just the output (instead of the text of the script itself).

But that does not mean that others don't have access via a slightly modified method, right?

What about Telnet or FTP? Obviously if someone cracks my password, they can view the source of my scripts. But can they exploit FTP and or Telnet (or any other method) to gain access to my scripts even without the password?

Replies are listed 'Best First'.
Re: How Secure are my Perl CGIs
by chromatic (Archbishop) on Feb 18, 2000 at 23:30 UTC
    Assuming your web server is configured correctly, it should execute all CGIs when it receives a request for one of them. That is, if the requested file is in a specified directory (/cgi-bin) or has a specified extension (.pl, .shtml, .cgi), the server will execute the file and pass the results to the browser.

    Since the web server does this for all HTTP requests, telnetting in or using a homebrew web client should not give anyone access to the script source -- assuming that your server is configured correctly.

    For non-HTTP requests (such as FTP or telnet to any port besides the one on which the server listens), you'll have to deal with system security, as in read permissions, chroot, and all the other good stuff. Then again, if someone finds an FTP or telnet or non-HTTP exploit, he's likely to look other places before your script directories.

[reply]

Back to Seekers of Perl Wisdom