Editable webpage code - security loopholes?

[Duke of Hazard]

I have developed a really basic script to make my web pages editable.
I am tired of having to hop around several applications and menus just
to fix one spelling error on a webpage! Also this empowers my clients
to update their own sites as far as text goes.

Basically it reads in the webpage file you want to edit and displays
its content in a textarea box. If the password matches, the script
overwrites the webpage file with the new text you typed in the
textarea.

It works, but what security checks do I need to perform on it? I
realize I need to sanitize the password field, how about the textarea
field?

Thanks!

Here's a snipet of the code below:
==================================

$file_path=$incoming{'file_path'};
$password=$incoming{'password'};
@textarea=$incoming{'textarea'};

# overwrite file if password matches with contents of @message

if ($password eq "12345"){
open(F, ">$file_path") ;
flock(F, 2); # lock file
print F "@textarea";
close(F);
}

# display web page to allow user to edit web page

print "Content-type: text/html\n\n";

print"<form action=/cgi-bin/edit_webpage.pl method=POST>

<textarea name=message cols=75 rows=25>";

open(F, "$file_path") ;
print <F>;

print"</textarea>";

close(F);

print' <input type="password" name="password"> ';

print' <input type="submit" value="Edit"> ';

 

[John Bokma]

It works, but what security checks do I need to perform on it?

How can we tell if you show just a snippet.

But the snippet is enough to guess that you:

[1] don't use strict, nor use warnings;
[2] don't use taint mode
[3] don't check return values (open, flock, etc)
[4] don't check file_path
[5] probably don't use CGI.pm

I
realize I need to sanitize the password field, how about the textarea
field?

Just a quick tip for your password. Never store it readable. Get the
password, calculate an MD5 hash, and compare it with the MD5 hash of the
actual password. Of course you have calculated the latter with a separate
script, so the actual password is nowhere stored in readable form.

Also read about here documents, it will simplify your code.

 

[John Bokma]

Duke of Hazard wrote:
[snip]

print F "@textarea";

----------^---------^
Useless use of quotes. See:

perldoc -q quoting

Not true, see:

perl -e "@a=qw(a b c d);print qq(@a)"
a b c d
perl -e "@a=qw(a b c d);print @a"
abcd
perl -e "@a=qw(a b c d);print \"@a\""
a b c d

In this case the quotes add some extra magic ;-)

[snip]

In short, without some fixes, what you have is probably "hacker
heaven".

No doubt about that.

 

[Tad McClellan]

It works, but what security checks do I need to perform on it? I
realize I need to sanitize the password field, how about the textarea
field?

If you need to "sanitize" them when using Perl, then you would
need to sanitize them when using Visual Basic or C or Java.

ie. That question is not a Perl question.

Please ask web questions in a newsgroup about the web.

open(F, "$file_path") ;

You should always, yes *always*, check the return value from open:

open(F, $file_path) or die "could not open '$file_path' $!";


See also:

perldoc -q vars

What's wrong with always quoting "$vars"?

Then don't use useless uses of quotes anymore.

 

[James Willmore]

Duke of Hazard wrote:

It works, but what security checks do I need to perform on it? I
realize I need to sanitize the password field, how about the textarea
field?

<snip>

Read ...
http://www.w3.org/Security/Faq/www-security-faq.html

That's a good place to start. It helps you to understand fully what
you're asking and what approach would be best for you.

HTH

Jim