Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

CGI textfield injection

by cmic (Acolyte)
on Jul 28, 2005 at 19:59 UTC ( [id://479112]=perlquestion: print w/replies, xml ) Need Help??

cmic has asked for the wisdom of the Perl Monks concerning the following question:

Hi folks
Some guys are polluting my Perl Wiki Site (UseMod based). I think they are injecting porn/spam page thru the address line. To make this injection impossible, I must know how these pranksters operate; Could someone complete the following line to inject code into a CGI.pm Perl site? (The page is in a CGI texfield form) Imean, where on the line should I put the text (ex: "injected Spam Text bla bla") to inject ? 
http://www.xyy.abc.fr/index.pl?action=edit&id=NewPage

[download]
PS: I promise, it's *not* to destroy other sites !!
-- cmic.
Life helps. Perl Too.

Replies are listed 'Best First'.
Re: CGI textfield injection
by Tanalis (Curate) on Jul 28, 2005 at 21:03 UTC
    I could, but I won't. While your intentions might be honourable enough, there's no guarantee that the next person who reads this thread will have the same innocuous intentions.

    You can almost certainly set up suitable logging via your web server to trap the request that's being made that's causing the malicious content to be injected. That should allow you to figure out how to simulate the request, and hence help you close the hole.

    Sorry to not be more help.

    -- Foxcub
    #include www.liquidfusion.org.uk

    Update: Yet another grammatical fix.
[reply]
      Hello Foxclub. I do agree with your explanations. I'm gonna find a way to test a similar idea and get the client/server messages to guess what happens. I understand it could be dangerous to publish such code here.
      Next time, maybe...
      -- cmic. Life helps. Perl Too.
[reply]
Re: CGI textfield injection
by Your Mother (Archbishop) on Jul 29, 2005 at 00:38 UTC

    I'd consider helping you as I think hackable software is often only fixed by confrontation. As a show of good faith, would you tell us what's the URI of your Wiki?

[reply]
      Hi YourMother
      OK, ok. But as a show of good faith, I won't show my (actually vulnerable) site adress here, of course. If only I had you e-mail... Write me here (no obligation of course) and I'll tell you the whole stuff:
      cmic <at> caramail <dot> com

      -- cmic. Life helps. Perl Too.
[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://479112]
Approved by Tanalis
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (3)
As of 2024-04-16 05:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found