At 01:13 PM 4/16/01 -0400, Casey West wrote:
>On Mon, Apr 16, 2001 at 12:03:21PM -0600, Ray Calkins 100660207 wrote:
>: Hello All:
>:
>: I'm want to write a few CGI programs for my web site, but I've heard
>there are
>: some (unspecified) security issues with Perl and CGI. How can I avoid
>leaving
>: myself open?
>
>WRT Perl, you can eliminate most major problems with the use of '-T'.
>Make sure your CGIs start with these lines:
>
>#!/path/to/perl -wT
>use strict;
>
>If you can get your program to run clean under that environment, you
>should be OK for the most part.
This begs the question slightly, though. Casey's ulterior motive is that
in order for you to get your program to run clean under -T, you're going to
have to learn a lot more about security :-)
>: I have read http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec/ "CGI
>Security: Tutorial", but it's a little over my head still.
>:
>: Any other recommendations?
>
>Don't forget to read perlfaq9.
And perlsec.
Books, books, books:
http://www.oreilly.com/catalog/cgi2/
http://www.awlonline.com/productpage?ISBN=0201710145
And if I may be permitted the hubris:
http://www.perldebugged.com
How much you have to learn about security depends upon how secure you need
your site to be. It's virtually impossible to totally secure anything, but
usually unnecessary; you balance the effort required against the likelihood
of an attack and the consequent loss. If you're putting out a mailing list
for Pokemon enthusiasts your risk profile is somewhat different from
advertising an international banking site to security tiger teams.
--
Peter Scott
Pacific Systems Design Technologies
