Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
Update: The above URL doesn't use reverse directory traversal. Stupid me. It should actually read: 
http://www.somehost.com/path/to/script/badscript.cgi?name=x-../../../b
+in/ls|

[download]
Update: Adam of course has raised the age-old "Security through Obscurity" question. The problem listed above is a classic on that many sites have. A resourceful hacker can easily write a Perl script that automatically probes for a number of common holes without necessarily knowing the holes are there. Even if you don't mention the hole, just having one can leave it exposed.

Security through obscurity is simply hoping they don't find the holes. All it takes is one lucky guess to earn the programmer a pink slip. If we plug the holes in the first place, we don't have to sit at home worrying.

On another note, this demonstrates why we shouldn't allow users to specify files names. Some programmers think the following can help protect: 

$filename =~ tr/\.\.//;

[download]
This fails miserably. We can't disallow periods completely if there is a chance that a legitimate file to be opened is named something like datafile.dat, so we are concerned with two periods in a row. The hacker could simply specify \.\./\.\./\.\./bin/ls| as the path and our tr/// fails. If you don't believe me, hop on your linux box and see what ls \.\./ does.

Update 2: I noticed that someone downvoted Adam's post. He stated that he was playing the Devil's Advocate "for fun". His intention was clearly to start good discussion, not to defend "security through obscurity." I gave him a ++. Don't downvote him for it!

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.

In reply to (Ovid) RE: Warning our Fellow Monks by Ovid
in thread Warning our Fellow Monks by Ovid

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (7)
As of 2024-04-19 09:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found