Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
Well, from your description of the problem it seems to me that your attitude is correct. It bothers me that your boss should pay more attention to security.

I know very little about your actual scenario but I think there are a few main risks here (I assume that the script allows the customer data to be written to a file which is specified via a hidden field):

  • An attacker storing "interesting" customer information in a file called /etc/password or similar, provided that your web server runs as root. By interesting customer information, I mean a set of lines providing a superuser account with a password known to the attacker. This would be very handy for cracking your webserver.

  • An attacker storing "interesting" customer information in the file $DOCUMENTROOT/index.html. Talk about a convenient way to deface your server.

  • An attacker requesting customer information from system files, such /etc/passwd or httpd.conf in order to gain knowledge about your system.

... Please do not take these as an extensive list. It's late and I only wrote what came to mind.

Now, so far you've acted ethically. No matter what people tells you do not try to expose or exploit this flaw without premission from your employer. If you succeed (and this seems easy from your description), this will allow your employer to sue you. You would not be the first to suffer through this nonsense. I say this because it is very tempting to exploit this vulnerability and play a little prank to your company as a proof of concept, but this can get you in serious trouble.

If after you ponint this to your boss, they still decide not to fix it, then leave it alone. And in a personal note, look for another job :)

Regards

In reply to Re: The danger of hidden fields by fokat
in thread The danger of hidden fields by Gerard

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (3)
As of 2024-04-19 01:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found