Re: Exec script within script or import sub...? help plz

in reply to Exec script within script or import sub...? help plz

Of course, with HTML::Template you could do stuff like this:


<SELECT name="whaticando">
  <option value="1"> Log off </option>
<TMPL_IF name=Unprivileged>
  <option value="2"> Whistle a tune </option>
</TMPL_IF>
<TMPL_IF name=Privileged>
  <option value="3">Blow my horn</option>
</TMPL_IF>
</SELECT>
[download]

Then in the script:

  if ($privileged){
    $html->param(
                 whaticando => 'Privileged'
                );
  } else {
    $html->param(
                 whaticando => 'Unprivileged'
                );
  }
[download]

This isn't atually a good way to enforce privilege levels. A clever user could post to your script supplying a "3" instead of a "2" for the "whaticando" parameter. You still need to enforce privilege on the server side without reference to what the client gives you. (Other than a cookie, say, which has it's own vulnerabilities similar to the one just given.) But this method let's your presentation vary based on a privilege level. There are probably neater ways to do this than I've shown.

Comment on Re: Exec script within script or import sub...? help plz Select or Download Code

Replies are listed 'Best First'.
Re^2: Exec script within script or import sub...? help plz by Stenyj (Beadle) on Jun 21, 2004 at 04:07 UTC
Yeah, thx. I'm being stupid about it all. Just going to adjust how I use html::template. As far as server side enforcing goes... I set a param of a session (using CGI::Session) to record their appropriate access. This should be secure, since they have no way of modifying the contents of a session, only the cookie that identifies which session they own, correct? Thx for the feedback guys. Steny	[reply]
Re^3: Exec script within script or import sub...? help plz by hbo (Monk) on Jun 21, 2004 at 06:27 UTC
Cookies are subject to man-in-the-middle attacks, particularly if you use them in non encrypted communication. CGI::Session uses cookies to keep state between the server and client. The attack isn't easy to do, so it shouldn't be a concern for a low-value target. If you have a high-value target you should be using SSL and keeping the cookie lifetimes short. I'm actually not sure this is true. This is what I imagine could be done by an attacker that can read the wire between the server and client: Read more... (539 Bytes)	[reply]

In Section Seekers of Perl Wisdom