homepage Welcome to WebmasterWorld Guest from 54.196.18.51
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

    
Website security - file and data exposure
jscjso




msg:3663397
 3:26 am on May 31, 2008 (gmt 0)

I am not sure my .pl files and data files are secured in my domain.
Can someone explain to me so as to remove my concern.

People can execute my index.html. From the 'view source' of the index.html in any browser, anyone can see my file names linked in the index.html. Subsequently, s/he will find out all the .pl filenames running behind the htmls.

Since the .pl files and data files are all in my domain directory and its sub-directories. Can people type directly the URL with the filenames? And see my .pl file and data file contents.

I read through my server instruction, there are allow/deny or deny/allow for specific clients. I do not think this can do much to protect my data files and .pl files.

 

rocknbil




msg:3663716
 4:56 pm on May 31, 2008 (gmt 0)

Welcome aboard jscjso! Yes, if they can see the link - they can put it in the address bar and move to it directly. They can also determine the directory structure of your website.

But your concern is slightly misdirected. You should not so much be concerned about them getting to these files and directories, but more what they can do once they get there.

And see my .pl file and data file contents.

This file should execute once it is requested. That is, they should not be able to see the .pl file contents as if it's being edited, it should run and output whatever it outputs. (more to this story below.)

As for your directories, DEFINITELY insure that directory browsing is not allowed. To test this, browse to any directory on your site:

http://example.com/directory

You should see the message "Directory Browsing Denied" (or not allowed.) If you see all your files, this is not good - you have two solutions:

1. Get your web host to configure the domain so directory browsing is not allowed.
2. Place an index.html file in EVERY directory. With the proper domain set up, for the above URL, they will see your file, not the directory contents.

For your .pl files, as I said, it's not that someone can get to the files - it's what they do when they get there that you need to be concerned about. Securing perl scripts is a long topic, but one I will sum up with Selena Sol's comment from 1995 or so:

Every user input is a potential hack.

So the first point of concern for any script is to cleanse any input and disallow anything but EXACTLY what it should receive. Many think, "well, it's not on the form, so they can't send it anything else." But don't forget, I can send ANYTHING to a script via command line or web request:

http://example.com/scripts/script.pl?size=this+is+mybad+data

This is especially true of mailer scripts, the largest target of hackers/spammers. If your "data" is via any type of online database, securing your scripts - from within, in the programming - is even more important.

Second, if these .pl files are not MEANT to be accessed from the web, as in an included perl library, you can follow the advice here [webmasterworld.com].

Some relevant searches: "script security", "sql injection", "email injection."

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved