|P is for Practical|
Company hacks through my Perl's Website Security holeby Nik
|on May 21, 2004 at 16:16 UTC||Need Help??|
Nik has asked for the
wisdom of the Perl Monks concerning the following question:
Some people today from efnet just hacked the Copmany that gives people free ftp access and Perl and MySQl support for people to upload their webpages www.50free.com through my Website.
They used a security hole of an open command at index.pl this to be exact.
and they gave similar to this string at their address bar kos.50free.net/cgi-bin/index.pl?select=../../../../../bin/ls%20-la%20%7e%7c to do it. Tehy passed values to the select variaable and di those things.With the same way the gained a pseudo shell access within my user accoutn and did various things.
My question is this: Should i have to be considered responsible for such an action? I just today found out that my site had a security hoel like that, or is the Compnay to blame for not should and could secure better their server?
At the moment neither i can login to my ftp account o lot of hours ago. and neither the Compnay's main webpage functioning?? What is your opinion? I beleive not mine because i am a newbie user and i cant know whether or not my website has security flaws or holes (at the moment i just want my webpage to work), security is not my conecrn now. I beleive the company should have imagined that might these could happened and prevent them
What do you think?
20040525 Edit by castaway: Changed title from 'Compnay hackes through my Perl's Website Securtity hole'