Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Re: Truly Isolated Perl

by mr_mischief (Monsignor)
on Sep 19, 2018 at 19:30 UTC ( #1222671=note: print w/replies, xml ) Need Help??

in reply to Truly Isolated Perl

There are ways to lock down subdirectories from being served by a web server. Even so, putting the executable for a general-purpose programming language within your document root seems like a terrible idea. Since you're not talking about a PSGI server as part of this scenario and talking about needing to put things in a particular directory, it seems you're likely using CGI.

Imagine you have CGI enabled within your web root. Now imagine for some reason the subdirectory containing perl within that web root becomes web accessible. The HTTP verb POST sends the request body from the client to the web server, which then runs the executable mapped at the requested URI. The request body is then passed in its entirety to that executable's STDIN. Eve fuzzes and futzes and finds your perl executable. She then POSTs arbitrary code, which then runs. Suddenly your system is a command and control system for a botnet or something even worse.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1222671]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2020-09-22 01:39 GMT
Find Nodes?
    Voting Booth?
    If at first I donít succeed, I Ö

    Results (127 votes). Check out past polls.