On one of my sites, I have a TCL CGI script that has a security hole
in spite of it having effective server-side validation (the fact that
it's CGI IS its security hole). The front end is a PHP script, and I
am writing server-side validation onto it, however, it is required to
redirect to the TCL CGI script because only a CGI script has the
ability to access a group-accessible XML script on the back end.
I had to take the whole thing down because a hacker found a way to
exploit the TCL CGI script and send in viral DoS-generating data
packets via simple form text field submissions, somehow even bypassing
the TCL CGI script's server-side validation.
Hence, that is why I am writing server-side validation on the front-end
PHP script, which is not CGI, of course.
The only way I could figure out how to make this secure was the concept
of "key passing", that is, passing a key from the PHP script into a
$_SESSION variable, then the TCL CGI script must have the same key on
its end, somehow, in order to expedite further.
Bottom line: I have no clue how to do this. Is there anyone out there
that knows this stuff and can either give me a quick tutorial or point
me in the right direction? I have absolutely no idea where to begin,
nor do I know any other means of ensuring web security.
*NOTE* I cannot destroy the TCL CGI script, because only a CGI script
can access the group-accessible XML on the back end, so that's not an
option by any means.
Thanx
Phil
11  3093  Bottom line: I have no clue how to do this. Is there anyone out there
that knows this stuff and can either give me a quick tutorial or point
me in the right direction? I have absolutely no idea where to begin,
nor do I know any other means of ensuring web security.
A bit more detail needed, I think... is the TCL script interactive or
batch? Perhaps it could be modified so that it doesn't need to be
web-facing at all, called from PHP using exec() returning the result to
PHP which passes it on to the browser.
---
Steve
A bit more of an explanation. What do you mean by "interactiv e or
batch"? It's a CGI script that does server-side validation and then
passes form values into an XML file that only it can access.
Phil
Phil,
If you could post the problem script to the comp.lang.tcl newsgroup and what
OS you are using, it is more than likely we can tell you how to plug the
security hole. Partictularly from the description you include -- sounds
like it may be a well known coding problem (i.e. not handling user data in a
safe way).
To answer your question, you can pass data either as an argument to the
script on its command line (i.e. when you kick it off) or via an enviornment
variable. In general, if you are having security problems with handling
user supplied data, I'd recommend passing via an enviornment variable (it is
harder to introduce a security hole).
BTW, a properly written CGI script is no less safe than a properly written
PHP script -- you just have to know what you are doing.
comp.lang.php wrote: On one of my sites, I have a TCL CGI script that has a security hole
in spite of it having effective server-side validation (the fact that
it's CGI IS its security hole). The front end is a PHP script, and I
am writing server-side validation onto it, however, it is required to
redirect to the TCL CGI script because only a CGI script has the
ability to access a group-accessible XML script on the back end.
I had to take the whole thing down because a hacker found a way to
exploit the TCL CGI script and send in viral DoS-generating data
packets via simple form text field submissions, somehow even bypassing
the TCL CGI script's server-side validation.
Hence, that is why I am writing server-side validation on the front-end
PHP script, which is not CGI, of course.
The only way I could figure out how to make this secure was the concept
of "key passing", that is, passing a key from the PHP script into a
$_SESSION variable, then the TCL CGI script must have the same key on
its end, somehow, in order to expedite further.
Bottom line: I have no clue how to do this. Is there anyone out there
that knows this stuff and can either give me a quick tutorial or point
me in the right direction? I have absolutely no idea where to begin,
nor do I know any other means of ensuring web security.
*NOTE* I cannot destroy the TCL CGI script, because only a CGI script
can access the group-accessible XML on the back end, so that's not an
option by any means.
Thanx
Phil A bit more of an explanation. What do you mean by "interactiv e or
batch"?
Can it just be given a chunk of data and get on with it's job, or does
it have an interactive conversation with the user, with several round
trips from client to server before it can do it's thing?
I suppose the question is: does it have to be a web-facing CGI script
at all, could it be coded as a simple command-line script
(#!/usr/bin/tcl) taking command-line args and returning the result to
STDOUT; it could then live outside the web directory tree and be
protected from abuse from the internet. No need for any fancy
authentication then.
---
Steve
Steve wrote: A bit more of an explanation. What do you mean by "interactiv e or
batch"?
Can it just be given a chunk of data and get on with it's job, or does
it have an interactive conversation with the user, with several round
trips from client to server before it can do it's thing?
Ok thank you. Those are terms that I as a web developer am not used to
hearing, so it threw me.
I suppose the question is: does it have to be a web-facing CGI script
at all, could it be coded as a simple command-line script
(#!/usr/bin/tcl) taking command-line args and returning the result to
STDOUT; it could then live outside the web directory tree and be
protected from abuse from the internet. No need for any fancy
authentication then.
I couldn't run the script as a standalone command-line script because
the scripts are hosted on a remote site and I do not have privileges
outside of my account which resides within the framework of the
document root. It is a single back-end batch processing script that
must exist within CGI because CGI, as well as the user, are within the
group that has the privilege to access a group-accessible XML file
(this cannot be altered as it is set up by the hosting provider across
the board for all users on his hosting service).
Phil
---
Steve
I couldn't run the script as a standalone command-line script because
the scripts are hosted on a remote site and I do not have privileges
outside of my account which resides within the framework of the
document root. It is a single back-end batch processing script that
must exist within CGI because CGI, as well as the user, are within the
group that has the privilege to access a group-accessible XML file
(this cannot be altered as it is set up by the hosting provider across
the board for all users on his hosting service).
Would this work?
<?php
header( "Content-type:text/plain" );
exec( "/path/to/mytclscript.tcl arg1 arg2 arg3", $res );
print "results:\n \n";
for( $i=0; $i < count($res); $i++ )
{
print $res[$i] . "\n";
}
?>
---
Steve
It would function, yes, but I don't see how that would offer any form
of protection as the hacker would still have access to the TCL CGI
script with his/her original HTML cached page. I guess I am unclear as
to how this would tighten things up.
Thanx
Phil
Steve wrote: I couldn't run the script as a standalone command-line script because
the scripts are hosted on a remote site and I do not have privileges
outside of my account which resides within the framework of the
document root. It is a single back-end batch processing script that
must exist within CGI because CGI, as well as the user, are within the
group that has the privilege to access a group-accessible XML file
(this cannot be altered as it is set up by the hosting provider across
the board for all users on his hosting service).
Would this work?
<?php
header( "Content-type:text/plain" );
exec( "/path/to/mytclscript.tcl arg1 arg2 arg3", $res );
print "results:\n \n";
for( $i=0; $i < count($res); $i++ )
{
print $res[$i] . "\n";
}
?>
---
Steve
It would function, yes, but I don't see how that would offer any form
of protection as the hacker would still have access to the TCL CGI
script with his/her original HTML cached page. I guess I am unclear as
to how this would tighten things up.
It depends on whether your setup allows you to store files in
directories other than your web root folder and below.
If the TCL script can be stored and executed outside of your web
there's no direct access to it from a browser.
For instance, my host has a fairly common setup where the web root
folder is
/home/steve/web/
but I can create folders in /home/steve that are outside the web.
---
Steve
Just an extra note that in general, the best ways of passing data are
not via either arguments or environment variables, but rather through
sockets or pipes (both of which come in many variations). On the other
hand, these are superior because they are a mechanism that is much more
difficult to snoop and which can handle much larger amounts of data,
and not because they inherently protect you from quoting issues. Not
that Tcl's particularly prone to such things when the language is used
even remotely idiomatically.. .
Donal.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Westcoast Sheri |
last post by:
Which will be a faster lookup of an item by, "color" in the following
mySQL tables: "unique key," "primary key," or just plain "key"??
CREATE TABLE myTable (
number int(11) NOT NULL default '0',
description varchar(50) NOT NULL default '',
color varchar(30) NOT NULL default '',
price decimal(3,2) NOT NULL default '0.00',
UNIQUE KEY (color)
);
|
by: Joel Leong |
last post by:
I wish to know the industrial practices for signing
assemblies with key files.
I genereted a key file to sign my assemblies.
Should I sign all my assemblies with a single key files
or I shall generate one key file for each assembly?
Perhaps, I should generate a key file per group of
related assemblies?
|
by: SenthilVel |
last post by:
how to get the corresponding values for a given Key in hashtable ??
|
by: Sahil Malik [MVP] |
last post by:
Public Private Key Pairs - How do they work?
-----------------------------------------------
I was looking at a presentation recently in which it was suggested that -
User 1 Encrypts a message using User 2's Public Key.
User 2 Decrypts the transmission using his Private Key to get the orignal
message.
Is the above correct?
|
by: eastern_strider |
last post by:
I'm running into problems about defining a comparison function for a
map which has a user defined key. For example:
class Key {
public:
string name;
int number;
Key (na, nu) : name (na), number (nu) {}
bool operator< (const Key &key) const; //my question is how to
| | |
by: jm.suresh |
last post by:
I wanted to have a heap of custom objects, and in different heaps I
wanted to have the weights for my elements differently. So, I modified
the heapq module to accept key arguments also.
The untested code is here. Please let me know if you find any bug or
if there is an easy way to do this.
-
Suresh...
|
by: bill |
last post by:
In an application I am writing the user can define a series of
steps to be followed. I save them in a sql database using the
field "order" (a smallint) as the primary key.
(there are in the range of 20 steps)
On the admin page the steps are listed, in "order" order and the
user can create new steps and assign an order and all is well.
The problem may come in using a renumber function which should
take the steps in their current order...
|
by: pawel667 |
last post by:
I've got a homework to do for a next week, and cannot pass it.
I had to create key which pass the validation for name
"sample.domain.com".
Any idea to simple reverse it ?
Here is a code:
########################
Imports System
|
by: Dick Moores |
last post by:
Windows XP Pro, Python 2.5.1
import msvcrt
while True:
if msvcrt.kbhit():
key = msvcrt.getch()
if key == 'Enter'
do something
Is there a way to catch the pressing of the 'Enter' key?
|
by: Thomas Mlynarczyk |
last post by:
Hello,
I have two arrays like this:
$aSearch = array( 'A', 'B', 'C.D', 'E', 'F' );
$aSubject = array( 'A' =0, 'A.B' =1, 'X' =2, 'C.D.E' =3, 'A.B.C' =>
4 );
Now I want to search $aSubject for the longest key that consists of the
first x elements of $aSearch concatenated by "." (where x = 1...count(
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| | |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
