Can I hack this perl thing ?

[Mihir]

I am a beginner to perl. I have a setup a page on an apache server
which has its addr like
http:// <name of server> :8088/cgi-bin/names.pl?id1=xx&id2=yy

This page contains a list of names of a few friends. This page is made
when a friend of mine registers in my guestbook. Now the question is
that this above address is displayed in the browser everytime a friend
accesses their account. So he/she can see their own page but can a
friend of mine get to this page and somehow modify its contents and
see the list of all my friends that exist and show up when the xx
value of id1 or id2 change?

Can somebody please advice, so that I can know how secure this page of
mine is.....

Thank you for your time in advance ....

 

[Jürgen Exner]

I am a beginner to perl.

Irrelevant because your question has nothing at all to do with Perl.

I have a setup a page on an apache server
which has its addr like
http:// <name of server> :8088/cgi-bin/names.pl?id1=xx&id2=yy

This page contains a list of names of a few friends. This page is made
when a friend of mine registers in my guestbook. Now the question is
that this above address is displayed in the browser everytime a friend
accesses their account. So he/she can see their own page but can a
friend of mine get to this page and somehow modify its contents and
see the list of all my friends that exist and show up when the xx
value of id1 or id2 change?

Maybe, impossible to tell from your description. Do you authenticate your
users?
And assign permissions accordingly?

Can somebody please advice, so that I can know how secure this page of
mine is.....

Without a thourough security analysis of you system, staring with the OS,
including the web server setup, and then last but not least your code it is
impossible to answer the question. A trivial test would be to just try it.
If you can get in as John Doe then you know it's not secure. Of course if
you can't get in that only means that _you_ weren't able to find a hole,
someone else might very well still might be.

Just to give you and idea of the complexity: Professional software security
companies charge 6-digit sums to do a security analysis of medium-sized web
applications.

Anyway, as I mentioned before: your question has nothing to do with Perl.

jue

 

[Mirco Wahab]

I am a beginner to perl. I have a setup a page on an apache server
which has its addr like
http:// <name of server> :8088/cgi-bin/names.pl?id1=xx&id2=yy

This page contains a list of names of a few friends. This page is made
when a friend of mine registers in my guestbook. Now the question is
that this above address is displayed in the browser everytime a friend
accesses their account. So he/she can see their own page but can a
friend of mine get to this page and somehow modify its contents and
see the list of all my friends that exist and show up when the xx
value of id1 or id2 change?

I'd create a sha1-hash of "xx_yy", like

...
use Digest::SHA1 qw(sha1_hex);
...
my $friends_name = "xx";
my $friends_email= "yy";
$newid = sha1_hex( $friends_name . '_' . $friends_email );
...
// now: $newid = "1df1f88fa38f0906cf09da207e1c4ae005a146bd";
...


gives then:

http:// <name of server> :8088/cgi-bin/names.pl?id=1df1f88fa38f0906cf09da207e1c4ae005a146bd

or (with working /path_info/)

http:// <name of server> :8088/cgi-bin/names.pl/1df1f88fa38f0906cf09da207e1c4ae005a146bd

of course, the "ID" of your people will be this
key from now on.But nobody ever on earth will
be able to make guesses ;-)

Regards

M.

 

[Joe Smith]

http:// <name of server> :8088/cgi-bin/names.pl?id1=xx&id2=yy

So he/she can see their own page but can a
friend of mine get to this page and somehow modify its contents and
see the list of all my friends that exist and show up when the xx
value of id1 or id2 change?

If names.pl implements some sort of password scheme, then I expect that
the friend of yours won't be able to change anything.

If names.pl does not use passwords, then you are in deep doo-doo.
In that case, delete everything and start over.
-Joe