Can I hack this perl thing ?

Discussion in 'Perl Misc' started by Mihir, Feb 26, 2007.

  1. Mihir

    Mihir Guest

    I am a beginner to perl. I have a setup a page on an apache server
    which has its addr like
    http:// <name of server> :8088/cgi-bin/names.pl?id1=xx&id2=yy

    This page contains a list of names of a few friends. This page is made
    when a friend of mine registers in my guestbook. Now the question is
    that this above address is displayed in the browser everytime a friend
    accesses their account. So he/she can see their own page but can a
    friend of mine get to this page and somehow modify its contents and
    see the list of all my friends that exist and show up when the xx
    value of id1 or id2 change?

    Can somebody please advice, so that I can know how secure this page of
    mine is.....

    Thank you for your time in advance ....


    --
    MK
     
    Mihir, Feb 26, 2007
    #1
    1. Advertising

  2. Mihir wrote:
    > I am a beginner to perl.


    Irrelevant because your question has nothing at all to do with Perl.

    > I have a setup a page on an apache server
    > which has its addr like
    > http:// <name of server> :8088/cgi-bin/names.pl?id1=xx&id2=yy
    >
    > This page contains a list of names of a few friends. This page is made
    > when a friend of mine registers in my guestbook. Now the question is
    > that this above address is displayed in the browser everytime a friend
    > accesses their account. So he/she can see their own page but can a
    > friend of mine get to this page and somehow modify its contents and
    > see the list of all my friends that exist and show up when the xx
    > value of id1 or id2 change?


    Maybe, impossible to tell from your description. Do you authenticate your
    users?
    And assign permissions accordingly?

    > Can somebody please advice, so that I can know how secure this page of
    > mine is.....


    Without a thourough security analysis of you system, staring with the OS,
    including the web server setup, and then last but not least your code it is
    impossible to answer the question. A trivial test would be to just try it.
    If you can get in as John Doe then you know it's not secure. Of course if
    you can't get in that only means that _you_ weren't able to find a hole,
    someone else might very well still might be.

    Just to give you and idea of the complexity: Professional software security
    companies charge 6-digit sums to do a security analysis of medium-sized web
    applications.

    Anyway, as I mentioned before: your question has nothing to do with Perl.

    jue
     
    Jürgen Exner, Feb 26, 2007
    #2
    1. Advertising

  3. Mihir

    Mirco Wahab Guest

    Mihir wrote:
    > I am a beginner to perl. I have a setup a page on an apache server
    > which has its addr like
    > http:// <name of server> :8088/cgi-bin/names.pl?id1=xx&id2=yy
    >
    > This page contains a list of names of a few friends. This page is made
    > when a friend of mine registers in my guestbook. Now the question is
    > that this above address is displayed in the browser everytime a friend
    > accesses their account. So he/she can see their own page but can a
    > friend of mine get to this page and somehow modify its contents and
    > see the list of all my friends that exist and show up when the xx
    > value of id1 or id2 change?


    I'd create a sha1-hash of "xx_yy", like

    ...
    use Digest::SHA1 qw(sha1_hex);
    ...
    my $friends_name = "xx";
    my $friends_email= "yy";
    $newid = sha1_hex( $friends_name . '_' . $friends_email );
    ...
    // now: $newid = "1df1f88fa38f0906cf09da207e1c4ae005a146bd";
    ...


    gives then:

    http:// <name of server> :8088/cgi-bin/names.pl?id=1df1f88fa38f0906cf09da207e1c4ae005a146bd

    or (with working /path_info/)

    http:// <name of server> :8088/cgi-bin/names.pl/1df1f88fa38f0906cf09da207e1c4ae005a146bd

    of course, the "ID" of your people will be this
    key from now on.But nobody ever on earth will
    be able to make guesses ;-)

    Regards

    M.
     
    Mirco Wahab, Feb 26, 2007
    #3
  4. Mihir

    Joe Smith Guest

    Mihir wrote:

    > http:// <name of server> :8088/cgi-bin/names.pl?id1=xx&id2=yy
    >
    > So he/she can see their own page but can a
    > friend of mine get to this page and somehow modify its contents and
    > see the list of all my friends that exist and show up when the xx
    > value of id1 or id2 change?


    If names.pl implements some sort of password scheme, then I expect that
    the friend of yours won't be able to change anything.

    If names.pl does not use passwords, then you are in deep doo-doo.
    In that case, delete everything and start over.
    -Joe
     
    Joe Smith, Feb 26, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. szczepiq
    Replies:
    4
    Views:
    368
  2. Zam
    Replies:
    1
    Views:
    267
    Mark Schupp
    Mar 14, 2005
  3. Kirk Haines
    Replies:
    4
    Views:
    107
    Graham Nicholls
    Jul 9, 2004
  4. martin
    Replies:
    2
    Views:
    109
    Peter J. Holzer
    May 10, 2006
  5. TefJlives

    Multiple copy and paste thing in Perl

    TefJlives, May 7, 2007, in forum: Perl Misc
    Replies:
    5
    Views:
    134
    Peter J. Holzer
    May 8, 2007
Loading...

Share This Page