[Date Prev]   [Date Next] [Thread Prev]   [Thread Next] [Date Index]   [Thread Index]


     [nocol-users] security problems with webnocol.cgi, genweb.pl, notifier.pl, etc.

	I'm a relatively new user of nocol and I am quite pleased.
	I really like the short amount of time it took me to start
	monitoring remote DNS, SMTP, HTTP, and NNTP servers. However,
	I've had to disable webnocol.cgi because of its many security

	The perlsec manual page has more details, including CGI
	specific advice, but enabling taint mode in nocol's perl
	scripts would be helpful.

	When a perl script is invoked with -T, taint mode is enabled.
	In a nutshell, taint mode makes sure you verify the
	correctness of all data coming from untrusted sources.
	Because tainted data is tracked through all possible uses,
	a program that can run in taint mode without any warnings
	is likely to be much more secure.  Unfortunately, nocol's
	perl scripts can't yet do this.

	My standard advice to people writing new perl code is to start
	their script with the following block:

		#! perl -Tw
		use strict;
		use English;
		$WARNING = 1;	# equal to the valuable -w flag

	The strict mode, along with standard warnings, always
	results in much tighter code. Including taint mode too
	greatly increases the security of the script.

	I started to clean up genweb.pl and webnocol.cgi but stopped
	pretty quickly. Because I am new to the system I found
	myself guessing what should be done to eliminate warnings
	and that's a bad sign.

	Are these scripts going to be preserved in snips? If so,
	have they already been tightened? If not, is there someone
	who knows the scripts well that could try adding the excerpt
	above to all of nocol's perl code and eliminate the resulting
	warning messages? I'll try to help by answering any perl
	questions you might have.