posted data security

[jeffman]

Do we have a security forum? I didn't spot one. Sorry if we do.Since my current project involves a lot of writing to the server, I have been reading up on security. There's a lot to learn.In perl, you can switch a script to "taint mode" and it keeps track of all data supplied by your client through post and get. Some operations are disallowed with this data until you've untainted it. A big one is creating a file or directory with a name derived from user data. You have to filter it through a regex first, and then perl assumes you know what you're doing.It doesn't seem to care about data that gets written to a file.So I'm wondering: if I create a file of type .txt and I'm in control of my directory tree, but my user maliciously tells me to fill the file with nasty code, is there any way the code can be run remotely on my server? (I would have no mechanism for installing the file as a macro or something similar.)

[AElliott]

The easy answer to this is yes, it's always hypothetically possible, unless you unplug the network cable .More thought into the matter and you start to want more information on where this text file is, what platform/software is the server running and how your website is written. Generally I would have thought that provided you kept user input files below the document root so that you can control how they can be accessed remotely then that's adequate security.

[boen_robot]

If the file is created as a text file, and all precautions are taken for it never to be executed by an interpreter, it can't possibly be executed by the server.By "all precautions ... to be executed by an interpreter" I mean that you must ensure users are unable to rename the file to what would be executable, and they must be unable to execute a command on the server (with SSH for example) that would execute the .txt despite its extension.As for having a security forum, whatever you think may be the cause for a security issue, the topic is for there. If you're talking about executing arbitary Perl code, the Perl forum is the place to post, etc.If any executable in general, the general forum.

[jeffman]

they must be unable to execute a command on the server (with SSH for example) that would execute the .txt despite its extension.

Heck, even I don't have an SSH connection to my server. Don't really want one. But a cracker who had that level of access could read and destroy all my data anyway, yes? I think that's the point at which I just have to trust my ISP.

[justsomeguy]

Yeah, if someone has SSH or FTP access then it doesn't really matter what precautions you take. Saving anything in a non-executable file like .txt should be fine.

[boen_robot]

But a cracker who had that level of access could read and destroy all my data anyway, yes?

In almost all scenarios, yes. There's one possibility where a cracker may be able to execute an arbitary file without being able to execute any other command, but it's a VERY (and I mean truly VERY) unlikely scenario:If your script has full access to all of your data (which it probably has already),and can execute arbitary shell commands with theese rights,and you allow users to execute a command with those permissions by a script,running an interpreter on success after validating that data,a cracker may be able to overcome that validation somehow, and execute his/her own file with that interpreter, deleting everything you have access to, hence permissions of the interpreter will be inhereted from the shell, and thus from the script.

I think that's the point at which I just have to trust my ISP.

Yep.

[jeffman]

Perlsec suggests a command like this: delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; to eliminate other shells from the environment, so I'm hoping that would take care of part of that.I certainly don't let users execute shell commands on purpose. I allow filepaths and names to come through, but they go straight to a regex filter that ensures safe characters. Other than data to be saved in a file, everything else that comes in is a one-word command, like "clone" or "rename"; taint-mode doesn't require it, but I probably should use a regex to make sure each of those really is limited to exactly one word with only alpha characters. Something like /^([a-z]+)$/ . I don't see how a command or sys call could fit through that.

[zppblood]

This may be a little off-topic, but with Internet Explorer using the header Content-type: text/plain, images (viewing the picture in the browser, not in the web page), and pdf's you can insert XSS because it has a feature in it that guesses it's MIME type based on the first few hundred bytes instead of being told what it is. Create a file and send the browser with text/plain with some HTML/JavaScript code; it doesn't allow <b> or <i>, but HTML links and JS code.