Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: •Web Security

by samtregar (Abbot)
on Jun 22, 2002 at 19:36 UTC ( #176515=note: print w/ replies, xml ) Need Help??


in reply to Web Security

Hhaha, that's a good one. Here's one I found recently that you might like:

foreach my $name ($query->param()) { $ENV{$name} = $query->param($name); }

Very nice, eh? Add that to the fact that the rest of the application uses environment variables for configuration and security and you've got a gaping security hole.

I had to spend at least a half an hour explaining why this wasn't such a good idea in an application that takes credit card data. The worst thing is, the guy that wrote it is generally a good programmer. He'd just gotten into a "not my problem" mindset. Someone asked him to make all CGI params available as environment variables and he just did it!

-sam


Comment on Re: •Web Security
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://176515]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (6)
As of 2015-07-04 06:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (57 votes), past polls