[vox-tech] secure form to ascii file?

Rod Roark rod at sunsetsystems.com
Mon Sep 13 17:37:18 PDT 2004


On Monday 13 September 2004 05:23 pm, Bill Kendrick wrote:
> On Mon, Sep 13, 2004 at 03:05:21PM -0700, Lewis Perdue wrote:
> > I need a web form that writes to a file in comma-delimited ascii with a 
> > time/date stamp ...I know a lot of the perl scripts out there have holes 
> > CGI exploit holes. Does anyone have a secure recommendation?
> 
> The kind of Perl-script exploits I still see are old form-to-mail scripts
> being abused to send spam.  (Some complete moron sent me a couple of
> "your paypal account needs updating" phish attempts via one recently.
> Man, what an idiot! :^) )
> 
> Anyway, Perl should be fine, assuming you follow all the good rules pointed
> out when people teach Perl-for-CGI-development.  PHP would do great for
> this, too.
> 
> My one concern is how the permissions would be handled for the file you
> wish the script to write to.  (Anyone here have recommendations?)

The PHP or Perl script would be running with the permissions
of the web server, so you can just make sure the file is
writable by that user ("apache" or "httpd" or whatever).

If that's not acceptable then you can write a perl app that
does the logging, make it suid and invoke it from the web
script.  I did something like that recently, which gave me
an enlightening tour of perl's "taint" features.

...
> 'Course now I'm "out" of the web business.
> *Whew!*)

Too bad.  ;-)

-- Rod


More information about the vox-tech mailing list