Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

Re: Exec script within script or import sub...? help plz

by hbo (Monk)
on Jun 21, 2004 at 03:03 UTC ( #368356=note: print w/replies, xml ) Need Help??

in reply to Exec script within script or import sub...? help plz

Of course, with HTML::Template you could do stuff like this:
<SELECT name="whaticando"> <option value="1"> Log off </option> <TMPL_IF name=Unprivileged> <option value="2"> Whistle a tune </option> </TMPL_IF> <TMPL_IF name=Privileged> <option value="3">Blow my horn</option> </TMPL_IF> </SELECT>

Then in the script:
if ($privileged){ $html->param( whaticando => 'Privileged' ); } else { $html->param( whaticando => 'Unprivileged' ); }

This isn't atually a good way to enforce privilege levels. A clever user could post to your script supplying a "3" instead of a "2" for the "whaticando" parameter. You still need to enforce privilege on the server side without reference to what the client gives you. (Other than a cookie, say, which has it's own vulnerabilities similar to the one just given.) But this method let's your presentation vary based on a privilege level. There are probably neater ways to do this than I've shown.

Replies are listed 'Best First'.
Re^2: Exec script within script or import sub...? help plz
by Stenyj (Beadle) on Jun 21, 2004 at 04:07 UTC
    Yeah, thx. I'm being stupid about it all. Just going to adjust how I use html::template.

    As far as server side enforcing goes... I set a param of a session (using CGI::Session) to record their appropriate access. This should be secure, since they have no way of modifying the contents of a session, only the cookie that identifies which session they own, correct?

    Thx for the feedback guys.

      Cookies are subject to man-in-the-middle attacks, particularly if you use them in non encrypted communication. CGI::Session uses cookies to keep state between the server and client. The attack isn't easy to do, so it shouldn't be a concern for a low-value target. If you have a high-value target you should be using SSL and keeping the cookie lifetimes short.

      I'm actually not sure this is true. This is what I imagine could be done by an attacker that can read the wire between the server and client:

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://368356]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (5)
As of 2018-02-21 06:02 GMT
Find Nodes?
    Voting Booth?
    When it is dark outside I am happiest to see ...

    Results (275 votes). Check out past polls.