Re: Perfecting index.pl some more!

Ok, lately this was the second time that someone posted an entire CGI script at PerlMonks, complete with the (presumably) correct address the CGI script is (or will be) available at. (Well, actually, this is the third time. The first node was this one: Do not undertand this error message and Nik does it for the second time, too...)

In order to understand, why this is an exceptionally bad practice, you have to be aware of the basic methodology of cracking a web page. At least 90% of the work you do when you want to abuse a web site is actually gathering of relevant information:

type and version of the OS and the web server software in the hope that you find a public exploit for a potentially unpatched vulnerability
DNS entries, phone numbers for easy social engineering
path names and file names of CGI scripts for code injection attacks
the type of the underlying database engine, valid user names known for the databases, names of tables and columns in the database tables for SQL injection attacks
and countless more...

When you got all these relevant information, it is not particularly hard to devise an easy way to hack into someone's web site.

Observe that you give all these information very nicely in your post, so you do he majority of the hard work of the attacker. And this is exactly why crackers often hang around at sysadmin forums and mailing lists: these places are invaluable sources of easy information...

Do yourself a favour: only post stripped down versions of your CGI scripts and remove all sensitive pieces of data (as you did very cleverly with the passwords). This will also make it easier for other monks to consume your question by the way...

Update: rephrased a bit...

rg0now

Comment on Re: Perfecting index.pl some more!

Replies are listed 'Best First'.
Re^2: Perfecting index.pl some more! by Nik (Initiate) on Apr 30, 2005 at 11:27 UTC
ok! But how would one ahck my page since i use placeholder so he can insert bogun input neither he can http://www.nikolas.tk/cgi-bin/index.pl?select='../../somepath/somefile') ?! By what exact way?	[reply]
Re^3: Perfecting index.pl some more! by rg0now (Chaplain) on Apr 30, 2005 at 11:56 UTC
Beware of the false sense of being secured, and instead, be paranoid! You can enver know, how weird ideas other might have to crack your tiny little script... Although using placeholders is considered to be a good practice, here SQL Injection myths under DBI? you will find an extensive discussion on this topic and a bazillion of ideas on how to crack SQL queries. Pick the one you most like! I think that it is more of a phylosophical question than a practical one: the point is that one should never ever post production CGI code on public forums! rg0now	[reply]
Re^4: Perfecting index.pl some more! by Nik (Initiate) on May 01, 2005 at 09:12 UTC
Well its my personal webpage and if i dont paste the code nobody will really understand what iam about to do. :-) I dont mind be hacked too as long as the hacker told me how he succeeded ;-)	[reply]