Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: •Re: Image Lister

by Chady (Priest)
on Apr 04, 2003 at 19:50 UTC ( [id://248171]=note: print w/replies, xml ) Need Help??


in reply to •Re: Image Lister
in thread Image Lister

Well, does it really matter?

I mean, it's an <img .. tag, and these are usually on a small server meant only for presentation to the clients when a meeting is not very necessary, and as I said, it's just a replacement for the default directory listing (I know I can setup the webserver to serve it's folder listings like that, but the server this is used on is a virtual hosting, so no access to configuration) - so if they can see it with the folder listing, I don't see a problem if they see it with this snippet.

I think this poses a problem when/if I actually open the file in the perl script to read the contents and print to STDOUT...

He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.

Chady | http://chady.net/

Replies are listed 'Best First'.
•Re: Re: •Re: Image Lister
by merlyn (Sage) on Apr 04, 2003 at 19:56 UTC
    It's still a security hole. If you're going to the trouble to strip leading dots, you might as well do the whole job and make sure you're reasonably secure in the entire path.

    And even as is, it's also a useful probing tool. I can see if you have a password file, or certain binaries, because you have a different response if the thing exists vs not exists. Such information can be used to determine if certain users exists (probe for /home/someuser, for example) or what version of software is being run on the system (by looking for paths that exist on Linux vs BSD, etc.)

    So, to fend off the next likely response of "why do I care? there's nothing interesting on this box", remember that an 0wn3d box can be used to launch attacks on others with some anonyminity, or worse yet, putting the blame on you.

    Security does matter.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]

      Ah... I was sure you wouldn't reply for the trivial <img.. tag.

      I missed the if ( -e "./$pic" ) bit... I see the point now. Thanx for the pointer.

      He who asks will be a fool for five minutes, but he who doesn't ask will remain a fool for life.

      Chady | http://chady.net/
[reply]
[d/l]

In Section Cool Uses for Perl

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://248171]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (6)
As of 2024-04-19 13:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found