Lunarpages Web Hosting Forum

Author Topic: info on allowed scripts?  (Read 3972 times)

Offline superstar

  • Trekkie
  • **
  • Posts: 10
info on allowed scripts?
« Reply #15 on: March 01, 2004, 03:03:32 PM »
Quote from: steve
Quote from: superstar
So, which scripts are allowed now?

I replied to this in an earlier post, but it's not so much a white listing of certain scripts but a blacklisting of known-issue code that we've linked with a specific complaint (and sometimes, a spam block).

Quote from: superstar
"Invalid Cgi" is all I get in my error logs, did you disable my whole cgi directory?

That was the reasoning for appending a suffix to the script as opposed to completely renaming them. The scripts should still be where you left them.

Quote from: superstar
And I never got an email either. The scripts worked yesterday........

If there's an email address in the database (that works), an email was sent that direction. Else, a message went to the operations manager with a list.


Steve,

I am using a SSI directive to track spiders on my pages

<!--#exec cgi="/cgi-bin/spydertrax.cgi" -->

As I said it worked until yesterday, now I get invalid "cgi-bin directory"
messages although the script remained unchanged in the same folder.

Am I allowed to use it or not ?

Thanks

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #16 on: March 01, 2004, 03:10:27 PM »
Quote from: Kata
One of the things I have done with my scripts is all variables that interface with the email part are named with obscure names like $hfssuyf3f instead of $to. Chances are the spammer would give up first :-)

The issue isn't with the variable name, but where the variable gets its value (e.g. the embedded value from the form which anyone can read).
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #17 on: March 01, 2004, 03:12:33 PM »
Quote from: superstar
Steve,

I am using a SSI directive to track spiders on my pages

<!--#exec cgi="/cgi-bin/spydertrax.cgi" -->

As I said it worked until yesterday, now I get invalid "cgi-bin directory"
messages although the script remained unchanged in the same folder.

Am I allowed to use it or not ?

Thanks

Good question. I don't know unless you tell me which system/user you're talking about so I can have a look-see. PM me some information.
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
info on allowed scripts?
« Reply #18 on: March 01, 2004, 03:55:29 PM »
Quote
The issue isn't with the variable name, but where the variable gets its value (e.g. the embedded value from the form which anyone can read).

Thats actually a value that is defined within the application eg:

#define address:
$ASDFS23fd = "ed@domain.com";

Just in case someone posts a form and puts in a input box with to: as the name and puts other addresses in there, it will be mighty hard for them to guess the variable name they have to spoof.

- Ed

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #19 on: March 01, 2004, 04:16:16 PM »
Quote from: Kata

Just in case someone posts a form and puts in a input box with to: as the name and puts other addresses in there, it will be mighty hard for them to guess the variable name they have to spoof.

That's actually closer to what needs to happen with these scripts. The author needs to let the user of the script define a few things within the script instead of doing the warm/fuzzy hidden form field thing.
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
info on allowed scripts?
« Reply #20 on: March 01, 2004, 04:23:55 PM »
It is possible however to overwrite those variables by submitting other values for them through the form? (Assuming they are declared and set before the form contents are read in?

- Ed

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #21 on: March 01, 2004, 04:28:14 PM »
Quote from: Kata
It is possible however to overwrite those variables by submitting other values for them through the form? (Assuming they are declared and set before the form contents are read in?

- Ed

Not in perl, because variables aren't created automatically and have to be read from the %ENV hash. As long as you don't get any portion of your mail header from the form, you should be fine. Limiting access with a sturdy referer check is always a good thing, too.
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
info on allowed scripts?
« Reply #22 on: March 01, 2004, 04:34:23 PM »
OK cool :-)

Maybe when I get a chance, I"ll write up some kind of unuserfriendly but very secure mailer script that can safely be used here without being 21k in size.

- Ed

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #23 on: March 01, 2004, 04:59:12 PM »
Quote from: Kata
Maybe when I get a chance, I"ll write up some kind of unuserfriendly but very secure mailer script that can safely be used here without being 21k in size.

Sounds like a plan. Maybe we can throw the source online when it's done and challenge people to break it.

There would have to be cash prizes, of course. =)
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/


Offline TWebMan

  • Quantum Encyclopedia Writer
  • *****
  • Posts: 3047
    • Take charge of your site
info on allowed scripts?
« Reply #25 on: March 02, 2004, 05:43:39 AM »
Thanks guys, I'm collecting the info I get about this so I'll hopefully know what I can do to remove the vulnerabilities in mine.
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #26 on: March 02, 2004, 05:18:03 PM »
Quote from: TWebMan
Thanks guys, I'm collecting the info I get about this so I'll hopefully know what I can do to remove the vulnerabilities in mine.

No worries. Bring it on by and I'll break it for ya.
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/

Offline TWebMan

  • Quantum Encyclopedia Writer
  • *****
  • Posts: 3047
    • Take charge of your site
info on allowed scripts?
« Reply #27 on: March 02, 2004, 05:56:51 PM »
heheh Can't wait, Steve :)  But um I hope I won't have to give you a hundred bucks.   :D
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site