Hello friends
First of all - I am not very strong in CGI but I was
Just wondering about CGI security !!!!!!!!
In many commercial and/or open source scripts I have remarket the notice:
"Do not remove the above copyright or notice"
Meaning: The header of the script with Authors name.

Some of these CGI-scripts have a Variable that can be changed to contain the "Administors Password"

My question is: Can someone download or read the source of CGI-scripts that are contained in my CGI-bin folder ?????

If Yes - Then they can steal the "Administors Password"
If No - then what the use of the above mentioned Authors Header in the scripts - It only makes them bigger in KB's.

Only wondering about this topic ?????

Regards,
Sanuk

No you can't view the source.
No you can't view the password - if that was possible then about 10,000+ Links2 users would be in trouble

The copyright notice is just that, a copyright notice. Sometimes it is in a README and sometimes in the script. It is to remind you of the terms and conditions in order for you to use the script.

Paul
Installations:http://wiredon.net/gt/
Support: http://wiredon.net/forum/

One way that people could possibly get the password is if you change the variable to a parameter.

Example:



The latter two examples could be passed via the query string.

The more secure method of securing password info within a .cfg or .cgi file is to "localize" the variable.

Example:



OR



OR



But, of course, the best and more secure method of password protecting your scripts is to use .htaccess/.htpasswd since passwords are stored as encrypted text. So, if someone was able to download and get your .htpasswd, they would have a difficult time hacking into your password protected directory.

Regards,

Eliot Lee

Thank you for the reply

I have a free commercial script where the Admin Password is not encrypted.
I am not powefull enough in CGI to change and this script with encrypted password
It is a Banner rotator and the Password is stored as follows:
$adminpass = "mypassword";
So on your suggestion I will change this to:
A/ local ($adminpass); $adminpass = "mypassword";
or
B/ my ($adminpass); $adminpass = "mypassword";
What is the Best ??? solution A/ or B/ ?????

By the way Mr.Eliot Lee
Do you still no have a solution for the Grep Line Search
problem that I have posted here:

http://gossamer-threads.com/perl/forum/showflat.pl?Cat=&Board=L2Cust&Number=141744&page=0&view=collapsed&sb=5

I really would like to Use a search Line by Line instaed of by field.
And this topic never found a solution on the whole board.
Please search with keywords " State City "
You will see many topics but No Solution for line Search
Thank You and Regards,
Sanuk

Thank You for replying Paul Wilson
Your answer makes me feel a little saver.
I am using 1 or 2 free commercial scripts where the admin password is in the beginning of the script as:
$adminpass = "mypassword";
I will change them as Eliot Lee suggested
and then hope that no one can download from the CGI-BIN
Thanks for your time and reply.
Regards,
Sanuk

Whilst we're on the subject of security in cgi scripts, it never sees to amaze me that even the best programs don't have protection against offsite execution of cgi programs.
I always add this snippet of code to the top of scripts before installing them on my server:



This prevents others using the script remotely and thus potentially interfering with the execution of the script. Perhaps you will find this a useful addition in your quest for security.

Eraser:
Insight Eye
http://www.insighteye.com/

As Eliot said - if the password is localized then you don't need to encrypt it or anything like that.

If you do want to encrpyt your password the easiest way is to use crypt:

$password = "PASSWORD";
crypt($password, "salt");

Paul
Installations:http://wiredon.net/gt/
Support: http://wiredon.net/forum/

Thanks for the reply Eraser

So if I put your script snippet inside search.cgi
then only possible to search from my site ???
Right or not ?????

Then why not adapt script that if cgi used by other site,
instead of giving text "Sorry, remote use disallowed"
automatic loading of the Index-page of your site
Meaning : http://yoursite.com/index.html
This possible or not ???

Thanks and Regards,
Sanuk

Hi,

Yes that's the general idea, however I don't use it in GT products but only in scripts that could benefit a remote user directly like a print page script I use that requires a domain name as it's input.

To do a redirect to your domain, you can use:

print "Location: http://www.yoursite.com/\n\n";

in place of: print "Content-type: text/html\n\n Sorry, remote use disallowed.";


Eraser:
Insight Eye
http://www.insighteye.com/

Hi and thanks for the answer Eraser

I will try to add this to search.cgi
as this is a script that can take alot of cpu-power
and others could use it
I will keep You informed if it works

By the way is there Any Luck You can help me with my other problem concerning search.cgi:
Its posted here:
http://www.gossamer-threads.com/perl/forum/showflat.pl?Cat=&Board=L2Cust&Number=141744&page=0&view=collapsed&sb=5

Regards,
Sanuk

One other thing that would be worth mentioning is permissions and locations. Most scripts use very lazy permissions and include the password file in the same directory as the scripts. BAD monkey.

If a script you use has a password or config file, make sure you put it outside your web root. ie, if your web pages are in /home/user/yourname/website put your config files and password files in /home/user/yourname/secure . This keeps them from being viewd from the web.

The next step is keeping people on the same server as you from sniffing around in your stuff. Try to avoid marking anything 777. Almost nothing actually needs 777 if the script is setup right. Because most scripts are isntalled by the user of the directory, it runs as that user with the permissions of that user. So why give a directory world read, write, execute? Many hosting services are doing away with 777. It's the #1 reason most scripts get hacked. Along time ago My site got hacked for these 2 things combined. It's a good idea to name config files oddly as well. Like my_config_file.cfg.cgi .. So it can't be viewed as plain text. I always chmod my directories 775 instead of 777. Do some reading on permissions. I'm still trying to refine my permissons so I give a listle permission as possbible.

Unlike the real world where keeping the combination of your safe in a safe, in unix it's not a good idea ;) Never put your eggs in one basket!



-----------
Crowe (crowe@lit.org)