If you're serious about security, you have some work to do;-) This application is very likely vulnerable to SQL injection and XSS injection.
1) for all CGI scripts, turn on taint and strict mode, and then sanitize your input. There are many ways to sanitize your input, but you might start with Untaint.pm. See: http://search.cpan.org/~kmeltz/Untaint-0.05/Untaint.pm 2) never build DB queries using string concatenation. Use prepared statement and bind variables. See: http://www.owasp.org/index.php/Top_10_2007-A2 http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java 3) encode your HTML output. This prevents XSS attacks. By default cgi.pm will handle this for you if you're using the form generating functions. You need to call escapeHTML yourself elsewhere. See: http://www.owasp.org/index.php/Top_10_2007-A1 http://search.cpan.org/~lds/CGI.pm-3.42/CGI.pm#AUTOESCAPING_HTML 4) consider turning off autocomplete (autocomplete="off") on at least the password form. This prevents the browser from saving this value. This is personal preference and will typically depend on the type of data being accessed. See: http://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_and_Pwd_Reset 5) do not assume that the maxlength attribute on a form field limits the size of input, it doesn't. 6) it is generally not advisable to return anything but a "login failed" message when the username/password is incorrect. I'm throwing the last one in there even though I don't see any sort of login actually occurring. Am I missing something? Where are you validating the password? What is the purpose of the strip_string function? I see all sorts of problems with that function. In general, once you start using prepared statements and bind variables in your SQL...you shouldn't have to monkey with the username/password strings. Also, I would recommend using Firefox with the "web developer", "tamperdata", and "Live HTTP Headers" add-ons for all your development work. It makes debugging these sorts of things much easier. For example, you could quickly rule out a client-site HTML/Javascript issue. >>-----Original Message----- >>From: PekinSOFT [mailto:[EMAIL PROTECTED] >>Sent: Wednesday, December 10, 2008 1:08 AM >>To: beginners-cgi@perl.org >>Subject: Re: Creating a Logon Form >> >>Greg, >> >>Thank you for your prompt reply. Here is the whole script for >>accessing the database: >> >>------------ logon.cgi ------------ >>#!/usr/bin/perl >> >>use CGI; >>use DBI; >> >>my $co = new CGI; >>my $dsn = 'DBI:mysql:bos_db:localhost'; >>my $db_user_name = 'sean'; >>my $db_password = '{MyPassword}'; >>my ($id, $password); >>my $dbh = DBI->connect ($dsn, $db_user_name, $db_password); >>my $tmp_passwd = $co->param('pwd'); >>my $passwd = strip_string($tmp_passwd); >> >># Create a variable to hold the result of our query and our query. >>my $result = $dbh->prepare(qq{ >> SELECT * FROM users >> WHERE uname=$co->param('uname') >> }); >>$result->execute(); >> >>print >>$co->header, >>$co->start_html(-title=>'Benevolent Outreach Management System', >> -author=>'Sean Carrick and PekinSOFT Systems', >> -bgcolor=>'white', -text=>'black', -link=>'blue', >> -vlink=>'cyan', -alink=>'red'), >>"Username Provided: ", $co->param('uname'), $co->br, >>"Password Provided: ", $passwd, $co-br, >>$co->h3('Logon Successful'), >>$co->h5('Your User Information:'); >>my ($uname, $pword, $fname, $lname, $street, $apt, $city, $state, >> $zip, $cphone, $email, $org, $org_contact, $org_phone) = $result- >>>fetchrow_array(); >> >>print >> "<table width=\'100%\'>", >> "<tr><td>Username:</td>", >> "<td>$uname</td></tr>", >> "<tr><td>Name:</td>", >> "<td>$fname $lname</td></tr>", >> "<tr><td>Address:</td>", >> "<td>$street<br />$apt<br />", >> "$city, $state $zip</td></tr>", >> "<tr><td>Phone Number:</td>", >> "<td>$cphone</td></tr>", >> "<tr><td>Email Address:</td>", >> "<td>$email</td></tr>", >> "<tr><td>Organization</td>", >> "<td>$org</td></tr>", >> "<tr><td>Contact Person:</td>", >> "<td>$org_contact</td></tr>", >> "<tr><td>Phone Number:</td>", >> "<td>$org_phone</td></tr>", >> "</table>", >> $co->hr, >> "<p>Functionality will be coming in the very near future!</ >>p>", >> $co->end_html; >> >>$result->finish(); >>$dbh->disconnect(); >> >>sub strip_string >>{ >> my $ret = ""; >> for (my $i = 0; $i < length($_[0]) - 9; $i++) { >> $ret .= substr(length($_[0]) - $i, 1); >> #print $ret; >> } >> >> return $ret; >>} >>------------ logon.cgi ------------ >> >>The only edit to the above script is the password for my database. >> >>I know that the "/s/" construct does some cool things, but as I said >>in my original post, The strings being passed from the password field >>have an arbitrary 9 numbers appended to the end. For the context of >>the logon form, I'm including the web page with the form here: >> >>----------- index.html ----------- >><html> >> <head> >> <title>Benevolent Outreach Management System</title> >> <link rel='stylesheet' type='text/css' href='../styles/ >>ps-style.css' /> >> </head> >> >> <body> >> <div id='centercontent'> >> <h2>Benevolent Outreach Management System</h2> >> <p>The Benevolent Outreach Management System >>is a website and web application that churches and other agencies may >>access to track >> the use of benevolent outreaches in the >>Pekin, Illinois area. This site is designed to be as easy to use as >>possible and >> maintains a database of users and clients >>of the benevolent outreaches that desire access to this system.</p> >> <hr /> >> <p>To begin using the Benevolent Outreach >>Management System, you may logon by clicking the "Logon" >>link in the right-hand >> pane. If you do not yet have a user >>account, you may start the registration process (which takes 2-3 >>business days to complete) >> by clicking on the "Register" >>link in the right-hand pane.</p> >> </div> >> >> <div id='rightcontent'> >> <p><a href='../cgi-bin/boms.cgi'>Register</a></ >>p> >> <h4>Logon</4> >> <form method='POST' action='../cgi-bin/ >>logon.cgi'> >> Username:<br /> >> <input type='textfield' name='uname' / >>><br /> >> Password:<br /> >> <input type='password' name='pwd' >>maxlength='11'value='' /><br /> >> <input type='submit' name='submit' >>value='Logon' /> >> <input type='reset' name='reset' >>value='Reset' /> >> </form> >> </div> >> </body> >></html> >>----------- index.html ----------- >> >>I appreciate any insights that you may have for me. >> >>Cheers, >> >>Sean C. >>PekinSOFT Systems >> >>On Dec 9, 8:00 pm, [EMAIL PROTECTED] (Greg Jetter) wrote: >>> On Tuesday 09 December 2008 8:47:06 am [EMAIL PROTECTED] wrote: >>> >>> >>> >>> > Hey All, >>> >>> > I'm new to doing CGI with Perl and so am a little lost here. >>> >>> > I'm working on a web-accessible database system for a (rather large) >>> > group of area churches and went through the rigmarole of assessing >>> > various programming and scripting languages to see which is the best >>> > tool for the job and I landed on Perl::CGI. >>> >>> > I started working on this project and have created scripts that >>> > generate a registration page that emails the registration information >>> > to me for processing. This is intentional, by the way, as I don't >>> > want it to be a self-register site for certain security reasons. >>> > These scripts work fine, so I started working on a logon form to allow >>> > users who are already registered to logon. So, on my main page, I >>> > have a right-hand pane that looks similar to this (in the HTML code): >>> >>> > <div id='rightcontent'> >>> > <p><a href='http://myserver.domain.org/cgi-bin/ >>> > boms.cgi'>Register</a></p> >>> > <br /> >>> > <h3>Logon</h3> >>> > <form method='POST' action='http://myserver.domain.org/cgi-bin/ >>> > logon.cgi'> >>> > Username:<br /> >>> > <input type='textfield' name='uname' /><br /> >>> > Password:<br /> >>> > <input type='password' name='pwd' /><br /> >>> > <input type='submit' name='logon' value='Logon' /> >>> > </form> >>> > </div> >>> > ...etc... >>> >>> > This form displays pretty well, though I need to work on the width of >>> > the fields, but that's not my issue. My issue is when I fill in the >>> > data in the fields and submit it to my "logon.cgi" script, the >>> > password value gets an arbitrary string of numbers attached to the end >>> > and I am not having any luck figuring out where those numbers come >>> > from, nor how to get rid of them back to the clear text of the >>> > password. For example: >>> >>> > I enter the string 'hiyall2008' in the password field and get the >>> > following values in my logon script... >>> > Click 1: hiyall2008153639492 >>> > Click 2: hiyall2008135813700 >>> > Click 3: hiyall2008152312388 >>> > et cetera... >>> >>> > As you can see, there is a different arbitrary string of numbers at >>> > the end of the clear text of the password entered. If it was the same >>> > each time the password was entered, I would just make it a part of the >>> > password and encrypt the whole thing into my database. However, each >>> > time it is different. It appears to be only 9 numbers each time, so I >>> > decided to try and strip those 9 numbers off the password with the >>> > 'substr()' method. So, I created the following sub procedure to do >>> > that: >>> >>> > sub strip_string >>> > { >>> > my $ret = ""; >>> > for (my $i = 0; $i < length($_[0]) - 9; $i++) { >>> > $ret .= substr(length($_[0]) - $i, 1); >>> > #print $ret; >>> > } >>> >>> > return $ret; >>> > } >>> >>> > Now, when I use this method to "strip" the arbitrary numbers from the >>> > end of the entered password, I get the following: >>> >>> > I enter the same password as before, "hiyall2008", and get the >>> > following: >>> > Click 1: 0134588996 >>> > Click 2: 0157203012 >>> > Click 3: 0138639940 >>> >>> > Now, not only do I have arbitrary strings of numbers, I have 10 >>> > numbers instead of 9! I know that it is something that I'm not doing >>> > correctly, but I cannot figure out what I'm doing wrong. >>> >>> > I've read through my Perl books, searched Google with numerous >>> > different queries and read through a bunch of different references >>> > online. However, none of them mention this issue with the password >>> > field in a web form when accessed from Perl::CGI. I am at a complete >>> > loss as to where to go from here. According to my "Perl Core >>> > Language, Little Black Book", if I pass a negative number to the >>substr >>> > () function's LEN parameter, substr() will remove that many characters >>> > from the end of the string. Every other reference to the substr() >>> > function, of course, says the same thing. However, when I've >>> > attempted that, I only got back the characters that I was wanting >>> > omitted. Frustration just keeps building! >>> >>> > Anyway, any help that y'all can give is greatly appreciated. >>> > Especially, please, links to better examples of tweaking a string with >>> > the substr() function. The ones in my "Little Black Book" are pretty >>> > lame, and I was unable to find much better online. Again, any help is >>> > greatly appreciated. I look forward to your responses. >>> >>> > Cheers, >>> >>> > Sean C. >>> > PekinSOFT Systems >>> >>> you need to post the whole script so we can see the context of the >>problem. >>> like how your retrieving the passed params and so forth. >>> >>> you could also try using regexp "s" operator to clean up the passed >>string. >>> you could also try and isolate the problem by using plan text insted >>of an >>> input field of password and see if the string is appended with the >>same >>> sort of junk numbers. >>> >>> good luck >>> >>> Greg >> >> >>-- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >>http://learn.perl.org/ >> -----Message Disclaimer----- This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply email to [EMAIL PROTECTED] and delete or destroy all copies of the original message and attachments thereto. Email sent to or from the Principal Financial Group or any of its member companies may be retained as required by law or regulation. Nothing in this message is intended to constitute an Electronic signature for purposes of the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and National Commerce Act ("E-Sign") unless a specific statement to the contrary is included in this message. While this communication may be used to promote or market a transaction or an idea that is discussed in the publication, it is intended to provide general information about the subject matter covered and is provided with the understanding that The Principal is not rendering legal, accounting, or tax advice. It is not a marketed opinion and may not be used to avoid penalties under the Internal Revenue Code. You should consult with appropriate counsel or other advisors on all matters pertaining to legal, tax, or accounting obligations and requirements. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/
