Re: perl cgi security

2002-11-01 Thread zentara 
On Thu, 31 Oct 2002 15:56:59 -0500, [EMAIL PROTECTED] (Todd W) wrote:

Jim Lundeen [EMAIL PROTECTED] wrote in message
news:3DBDA799.307DC69A;jimmyjames.net...
 nothing that will work on Linux box?

perlcc works... see below.

Yeah, I have to say that the perlcc which comes with perl5.8.0
is improved over the older versions, and will compile alot of
scripts which used to fail.  For simple scripts, with no modules,
I'm getting executables in the 60k size range, that's pretty good.
If I include CGI.pm, the size jumps to 1.7 meg ; but at least it still
compiles and runs. :-)

The general consensus used to be that perlcc was too finicky;
but 5.8.0's version is improved.


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: perl cgi security

2002-10-31 Thread Todd W 

Jim Lundeen [EMAIL PROTECTED] wrote in message
news:3DBDA799.307DC69A;jimmyjames.net...
 nothing that will work on Linux box?

perlcc works... see below.

 Admin-Stress wrote:

  Nice, but that will produce .exe, executable file for Windows :(
 
  --- David Simcik [EMAIL PROTECTED] wrote:
   See perl2exe.exe for details on converting scripts into executables.
  

[trwww@devel_rh public_html]$ cat index.cgi
#!/usr/bin/perl -w

use strict;
use CGI qw/:standard/;

print header();
print start_html();

print h1('Hello Dynamic CGI Linux');
print div('Hello Dynamic CGI Linux!!!');
print div('I am:', `id -un`);

print end_html();[trwww@devel_rh public_html]$ perlcc -o index.plx index.cgi
[trwww@devel_rh public_html]$ ls -l
total 1704
snip /
-rwx--1 trwwwtrwww 219 Apr 14  2002 index.cgi
-rwxrwxr-x1 trwwwtrwww 1707157 Oct 31 15:48 index.plx
snip /
[trwww@devel_rh public_html]$ ./index.plx
Content-Type: text/html; charset=ISO-8859-1

?xml version=1.0 encoding=utf-8?
!DOCTYPE html
PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
SYSTEM http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml; lang=en-US
  head
titleUntitled Document/title
  /head
  body
h1Hello Dynamic CGI Linux/h1
divHello Dynamic CGI Linux!!!/div
divI am: trwww/div
  /body
/html

HTH

Todd W.



-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: perl cgi security

2002-10-28 Thread fliptop 
On Sun, 27 Oct 2002 at 14:10, Admin-Stress opined:

A:Is it possible to VIEW the source code of a perl cgi from a website?

sure, if your httpd server is improperly configured.

A:For example, I wrote a perl cgi like this
A:http://www.myweb.com/cgi-bin/addcustomer.pl
A:
A:The purpose of that script is to add new customer into my MySQL database.
A:
A:So, is it possible that some one can download that script? Like using
A:'web site downloader' or 'dump' or any other method?
A:
A:If yes (possible), is there any way to prevent this? or to hide the cgi
A:source code?

perldoc -q 'hide the source'


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: perl cgi security

2002-10-28 Thread zentara 
On Sun, 27 Oct 2002 14:10:58 -0800 (PST), [EMAIL PROTECTED]
(Admin-Stress) wrote:

I am new to perl cgi. I would like to ask (maybe a silly question) :
Is it possible to VIEW the source code of a perl cgi from a website?
For example, I wrote a perl cgi like this http://www.myweb.com/cgi-bin/addcustomer.pl
The purpose of that script is to add new customer into my MySQL database.
So, is it possible that some one can download that script? Like using 'web site 
downloader' or
'dump' or any other method?
If yes (possible), is there any way to prevent this? or to hide the cgi source code?

You are probably safe from internet users getting your script.

If  your webserver is misconfigured you can view cgi files when you try
to execute them, otherwise you are safe from people viewing them.
Some webservers that are misconfigured, may treat a .pl file as a text
file, and just display it. Try to do it yourself, enter
http://www.myweb.com/cgi-bin/index.html  and see what happens.
If you get a list of files, there is a problem with your server.

The real problem comes from other users on the server you share.
Since your cgi is probably mode 755, that means other users might
be able to ssh in to the server, and look thru the files in your /home
dir.  You can test how the system you are using is setup by ssh'ing
in, then changing dir up to where you can see all the other user's
homedirs. Then see if you can read their files. You can probably bet
money that the government has already looked thru your files.

Most ISP's have a warning that doing this may result in you
getting kicked off their server.

If you need security, then it is best that you run your own server,
thru co-location. That way you are the only user, but then you
still have the problem of the night-watchman poking around
in your server. Maybe have 24-hour camera surveillance on the server?

It gets complicated in a hurry, when you start talking about REAL
security.








-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: perl cgi security

2002-10-28 Thread Jim Lundeen 
Isn't there a method of actually making an executable (compiled) out of a perl
script?  I heard/saw about is a year or so ago, but never investigated it.  I'd
be interested in finding out more if anyone has info.   Thanks

fliptop wrote:

 On Sun, 27 Oct 2002 at 14:10, Admin-Stress opined:

 A:Is it possible to VIEW the source code of a perl cgi from a website?

 sure, if your httpd server is improperly configured.

 A:For example, I wrote a perl cgi like this
 A:http://www.myweb.com/cgi-bin/addcustomer.pl
 A:
 A:The purpose of that script is to add new customer into my MySQL database.
 A:
 A:So, is it possible that some one can download that script? Like using
 A:'web site downloader' or 'dump' or any other method?
 A:
 A:If yes (possible), is there any way to prevent this? or to hide the cgi
 A:source code?

 perldoc -q 'hide the source'

 --
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: perl cgi security

2002-10-28 Thread David Simcik 
See perl2exe.exe for details on converting scripts into executables.

-D

-Original Message-
From: Jim Lundeen [mailto:jim;jimmyjames.net]
Sent: Monday, October 28, 2002 12:48 PM
To: fliptop
Cc: Admin-Stress; [EMAIL PROTECTED]
Subject: Re: perl cgi security


Isn't there a method of actually making an executable (compiled) out of a
perl
script?  I heard/saw about is a year or so ago, but never investigated it.
I'd
be interested in finding out more if anyone has info.   Thanks

fliptop wrote:

 On Sun, 27 Oct 2002 at 14:10, Admin-Stress opined:

 A:Is it possible to VIEW the source code of a perl cgi from a website?

 sure, if your httpd server is improperly configured.

 A:For example, I wrote a perl cgi like this
 A:http://www.myweb.com/cgi-bin/addcustomer.pl
 A:
 A:The purpose of that script is to add new customer into my MySQL
database.
 A:
 A:So, is it possible that some one can download that script? Like using
 A:'web site downloader' or 'dump' or any other method?
 A:
 A:If yes (possible), is there any way to prevent this? or to hide the cgi
 A:source code?

 perldoc -q 'hide the source'

 --
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: perl cgi security

2002-10-28 Thread Admin-Stress 
Nice, but that will produce .exe, executable file for Windows :(

--- David Simcik [EMAIL PROTECTED] wrote:
 See perl2exe.exe for details on converting scripts into executables.
 
 -D


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: perl cgi security

2002-10-28 Thread Jim Lundeen 
nothing that will work on Linux box?

Admin-Stress wrote:

 Nice, but that will produce .exe, executable file for Windows :(

 --- David Simcik [EMAIL PROTECTED] wrote:
  See perl2exe.exe for details on converting scripts into executables.
 
  -D

 __
 Do you Yahoo!?
 Y! Web Hosting - Let the expert host your web site
 http://webhosting.yahoo.com/

 --
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: perl cgi security

2002-10-28 Thread Abel Lucano 
On Mon, 28 Oct 2002, Jim Lundeen wrote:

 nothing that will work on Linux box?

 Admin-Stress wrote:

  Nice, but that will produce .exe, executable file for Windows :(
 
  --- David Simcik [EMAIL PROTECTED] wrote:
   See perl2exe.exe for details on converting scripts into executables.
  

Hi, Jim
yes, in a Linux box you can type:

chmod +x scriptname

it works, you have an executable..

just kidding :)

I  understand instead that you want 'hide' your script Perl code
Humm...even Perl masters bring you their best written scripts.

In relationship with perl2exe.exe, search this list-digest by January
2002, read Randal Schwartz's advice on this topic.

regards,


Abel Lucano
DECODE SA
Av Independencia 1355 - Buenos Aires
TE/FAX +5411 4383 1161
[EMAIL PROTECTED]




-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: perl cgi security

2002-10-28 Thread Nikola Janceski 
If you don't want them to comprehend your code, be sure to add lots of code
that will never get run and remove all comments and any whitespace that
really isn't needed, and through in a poem or two and u will have code that
know won wood wont 2 reed n it will look kinda like this reply.

 -Original Message-
 From: Abel Lucano [mailto:abel;decode.com.ar]
 Sent: Monday, October 28, 2002 4:35 PM
 To: Jim Lundeen
 Cc: Admin-Stress; [EMAIL PROTECTED]
 Subject: Re: perl cgi security
 
 I  understand instead that you want 'hide' your script Perl code
 Humm...even Perl masters bring you their best written scripts.



The views and opinions expressed in this email message are the sender's
own, and do not necessarily represent the views and opinions of Summit
Systems Inc.


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

perl cgi security

2002-10-27 Thread Admin-Stress 
Hi,

I am new to perl cgi. I would like to ask (maybe a silly question) :

Is it possible to VIEW the source code of a perl cgi from a website?

For example, I wrote a perl cgi like this http://www.myweb.com/cgi-bin/addcustomer.pl

The purpose of that script is to add new customer into my MySQL database.

So, is it possible that some one can download that script? Like using 'web site 
downloader' or
'dump' or any other method?

If yes (possible), is there any way to prevent this? or to hide the cgi source code?

Thanks,
kapot


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]