Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
Even with the double fork and chroot there're still a lot of potential security holes which are open, for example consider the following two fairly common attacks for a couple off the top of my head:
  • Denial of service attacks: Make the machine talk to itself a lot.. use LWP::Simple; while (1) { get("http://localhost/something_intensive.cgi")} (bonus points for calling the the calculator again with the same effect), fork bombing with while (1) { fork }, or getting a list of the current user's active processes and kill -9'ing them.
  • Mailing back details from your machine to the aggressor to get information for other attacks: Grab the script, grab the config files listed in the script, connect to the database with credentials from config file, delete all data or subtly corrupt it as you see fit. If this application has no config file there're probably other web apps on the machine who's config file you can get.
Basically this is the Whack-A-Mole kind of thing where you think of two avenues of attack and block them, the attacker thinks of a third and causes you pain. The kind of security provided by the Safe module could be a step in the right direction but that'd need careful config, whereas the route means that the operations the user can execute are strictly restricted to a known-safe subset, and also means that the user can enter terms such as '2x2.23kg in lbs' which'd never run in Perl even with constants carefully defined.

In reply to Re^4: how would you detect a math expression by Molt
in thread how would you detect a math expression by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (2)
As of 2024-04-26 04:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found