|[Date Prev] [Date Next]||[Thread Prev] [Thread Next]||[Date Index] [Thread Index]|
[nocol-users] security problems with webnocol.cgi, genweb.pl, notifier.pl, etc.
I'm a relatively new user of nocol and I am quite pleased. I really like the short amount of time it took me to start monitoring remote DNS, SMTP, HTTP, and NNTP servers. However, I've had to disable webnocol.cgi because of its many security problems. The perlsec manual page has more details, including CGI specific advice, but enabling taint mode in nocol's perl scripts would be helpful. When a perl script is invoked with -T, taint mode is enabled. In a nutshell, taint mode makes sure you verify the correctness of all data coming from untrusted sources. Because tainted data is tracked through all possible uses, a program that can run in taint mode without any warnings is likely to be much more secure. Unfortunately, nocol's perl scripts can't yet do this. My standard advice to people writing new perl code is to start their script with the following block: #! perl -Tw use strict; use English; $WARNING = 1; # equal to the valuable -w flag The strict mode, along with standard warnings, always results in much tighter code. Including taint mode too greatly increases the security of the script. I started to clean up genweb.pl and webnocol.cgi but stopped pretty quickly. Because I am new to the system I found myself guessing what should be done to eliminate warnings and that's a bad sign. Are these scripts going to be preserved in snips? If so, have they already been tightened? If not, is there someone who knows the scripts well that could try adding the excerpt above to all of nocol's perl code and eliminate the resulting warning messages? I'll try to help by answering any perl questions you might have. Thanks, Scott