go ahead... be a heretic | |
PerlMonks |
Re: Re: Re: Hash Clash on purposeby l2kashe (Deacon) |
on Jun 02, 2003 at 22:38 UTC ( [id://262512]=note: print w/replies, xml ) | Need Help?? |
Good insight, can you tell what type of perl devel I don't do regularly? ;) On another note though, aren't the hash keys in a form and such predefined? Thinking this through, it would take a maliciously crafted URL to actually exploit a backend perl based CGI, as opposed to going through the "normal" processing channel, as in this exploitation its really the keys that are the issue as opposed to the values. Since we are talking about DOS attacks on systems, this is a valid attack. It will most certainly be very easy to track via some simple log searching without some proxying involved, but thats kinda outside of the scope of the thread... New question: Is there a way to "fix" CGI.pm? Thinking it through it feels knee jerkish to point at CGI, and I think might be outside of the scope of the modules varied duties. Though it would be interesting if you could code something to the effect of... Which would only allow foo, bar, and baz, and silently drop everything else from the URL. But that kind of breaks the standalone nature of many cgi programs, and would need to be checked for/cleaned prior to actually parsing the parameters. On a plus side this could lead to many many more sights being far more secure than they presently are as its one more obstacle to hurdle in the never ending hunt for other people's processing cycles. Kinda like 'use strict' for CGI :) Im still hoping to get feedback from more "senior" members of the community, to get a handle on what they really think of the issue. Also does/will this effect Perl6? MMMMM... Chocolaty Perl Goodness.....
In Section
Meditations
|
|