Some people today from efnet just hacked the Copmany that gives people free ftp access and Perl and MySQl support for people to upload their webpages www.50free.com through my Website.

They used a security hole of an open command at index.pl this to be exact.

print start_form(-action=>"index.pl");
   print p( {-align=>'center'}, font( {-size=>5, -color=>'Lime'}, 'Λόγ
+ος Ψυχωφελής και Θαυμάσιος => ' ),
                                popup_menu( -name=>'select', -values=>
+\@files ),
                                submit('ok'));
print end_form();

$file = param("select") || $files[rand(@files)];

open(IN, "../data/texts/$file") or die $!;
[download]

and they gave similar to this string at their address bar kos.50free.net/cgi-bin/index.pl?select=../../../../../bin/ls%20-la%20%7e%7c to do it. Tehy passed values to the select variaable and di those things.With the same way the gained a pseudo shell access within my user accoutn and did various things.

My question is this: Should i have to be considered responsible for such an action? I just today found out that my site had a security hoel like that, or is the Compnay to blame for not should and could secure better their server?

At the moment neither i can login to my ftp account o lot of hours ago. and neither the Compnay's main webpage functioning?? What is your opinion? I beleive not mine because i am a newbie user and i cant know whether or not my website has security flaws or holes (at the moment i just want my webpage to work), security is not my conecrn now. I beleive the company should have imagined that might these could happened and prevent them

What do you think?

20040525 Edit by castaway: Changed title from 'Compnay hackes through my Perl's Website Securtity hole'

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.