I have tried to explain this to my boss but as I have not yet proven my perl skills (which are somewhat limited) and this is not what I was employed for anyway, they were more than a little hesitant to listen to me.
This is not a Perl question. It's general secure programming practice; whether the CGI program is written in Perl, C, Lisp, bash or any other language wouldn't matter here, the issue at heart is that it was written to trust user input.
Explain to your boss that the problem is really serious. Ask them if they would agree to be given a demonstration. Cover your back at every step of the road in case you are unjustly reproached at a later date: get written confirmations whenever possible and try to always have a coworker come along to meetings. Do not go ahead and just make a demonstration. If necessary, offer to do so in spare, unpaid time. If you are given the go-ahead, make several demonstrations: the boss may lack the technical understanding to deduce how far reaching the problem really is if you only make a single one. Come up with serious attacks; deface the site, fiddle with /etc/passwd etc; whatever comes to mind. Make sure, obviously, to back up the altered files prior to the demonstration. If you are refused the chance to explain, at least make sure you can prove you did what could be expected of you so that if any damage happens, the responsibility is with those who dismissed your concerns.
Good luck.
Makeshifts last the longest.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|