Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Exec script within script or import sub...? help plz

by hbo (Monk)
on Jun 21, 2004 at 03:03 UTC ( #368356=note: print w/ replies, xml ) Need Help??


in reply to Exec script within script or import sub...? help plz

Of course, with HTML::Template you could do stuff like this:

<SELECT name="whaticando"> <option value="1"> Log off </option> <TMPL_IF name=Unprivileged> <option value="2"> Whistle a tune </option> </TMPL_IF> <TMPL_IF name=Privileged> <option value="3">Blow my horn</option> </TMPL_IF> </SELECT>

Then in the script:
if ($privileged){ $html->param( whaticando => 'Privileged' ); } else { $html->param( whaticando => 'Unprivileged' ); }

This isn't atually a good way to enforce privilege levels. A clever user could post to your script supplying a "3" instead of a "2" for the "whaticando" parameter. You still need to enforce privilege on the server side without reference to what the client gives you. (Other than a cookie, say, which has it's own vulnerabilities similar to the one just given.) But this method let's your presentation vary based on a privilege level. There are probably neater ways to do this than I've shown.


Comment on Re: Exec script within script or import sub...? help plz
Select or Download Code
Re^2: Exec script within script or import sub...? help plz
by Stenyj (Beadle) on Jun 21, 2004 at 04:07 UTC
    Yeah, thx. I'm being stupid about it all. Just going to adjust how I use html::template.

    As far as server side enforcing goes... I set a param of a session (using CGI::Session) to record their appropriate access. This should be secure, since they have no way of modifying the contents of a session, only the cookie that identifies which session they own, correct?

    Thx for the feedback guys.


    Steny
      Cookies are subject to man-in-the-middle attacks, particularly if you use them in non encrypted communication. CGI::Session uses cookies to keep state between the server and client. The attack isn't easy to do, so it shouldn't be a concern for a low-value target. If you have a high-value target you should be using SSL and keeping the cookie lifetimes short.

      I'm actually not sure this is true. This is what I imagine could be done by an attacker that can read the wire between the server and client:

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://368356]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (17)
As of 2014-08-27 13:14 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (238 votes), past polls