Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re: Exec script within script or import sub...? help plz

by hbo (Monk)
on Jun 21, 2004 at 03:03 UTC ( #368356=note: print w/ replies, xml ) Need Help??


in reply to Exec script within script or import sub...? help plz

Of course, with HTML::Template you could do stuff like this:

<SELECT name="whaticando"> <option value="1"> Log off </option> <TMPL_IF name=Unprivileged> <option value="2"> Whistle a tune </option> </TMPL_IF> <TMPL_IF name=Privileged> <option value="3">Blow my horn</option> </TMPL_IF> </SELECT>

Then in the script:
if ($privileged){ $html->param( whaticando => 'Privileged' ); } else { $html->param( whaticando => 'Unprivileged' ); }

This isn't atually a good way to enforce privilege levels. A clever user could post to your script supplying a "3" instead of a "2" for the "whaticando" parameter. You still need to enforce privilege on the server side without reference to what the client gives you. (Other than a cookie, say, which has it's own vulnerabilities similar to the one just given.) But this method let's your presentation vary based on a privilege level. There are probably neater ways to do this than I've shown.


Comment on Re: Exec script within script or import sub...? help plz
Select or Download Code
Replies are listed 'Best First'.
Re^2: Exec script within script or import sub...? help plz
by Stenyj (Beadle) on Jun 21, 2004 at 04:07 UTC
    Yeah, thx. I'm being stupid about it all. Just going to adjust how I use html::template.

    As far as server side enforcing goes... I set a param of a session (using CGI::Session) to record their appropriate access. This should be secure, since they have no way of modifying the contents of a session, only the cookie that identifies which session they own, correct?

    Thx for the feedback guys.


    Steny
      Cookies are subject to man-in-the-middle attacks, particularly if you use them in non encrypted communication. CGI::Session uses cookies to keep state between the server and client. The attack isn't easy to do, so it shouldn't be a concern for a low-value target. If you have a high-value target you should be using SSL and keeping the cookie lifetimes short.

      I'm actually not sure this is true. This is what I imagine could be done by an attacker that can read the wire between the server and client:

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://368356]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (10)
As of 2015-07-31 18:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (280 votes), past polls