[sorry, lost the original]
> >I have been doing final security checks before bringing a website live --
> >making sure that users can't manually enter post data to see things they
> >shouldn't. My employer is naturally curious about any security issues that
> >tend to aflict embperl/mod_perl/cgi. While we have followed common sense
> >procedures as far as trusting user data, it would be nice if there was an
> >article that discussed security holes so we could make sure we haven't
> >missed anything. Are there any resources that you have found particularly
> >helpful?
turn "PerlTaintCheck On". that should catch most silly mistakes (like
backticked commands).
also set EMBPERL_ESCMODE to 7 (default is 3) to disable backslash
escaping of html tags. explicitly set it back to 3 anywhere you
actually want that. (imo, 7 should be the default anyway)
set resource limits on your apache processes, to stop (or at least
slow) loops, etc.
you might also want to look at the "Safe" stuff (EMBPERL_COMPARTMENT,
optSafeNamespace, etc).
(and the usual sort of things with file and database
owners/permissions, etc)
--
- Gus
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
