Posted by gwl on 11/24/33 11:28

Phil,

If you could post the problem script to the comp.lang.tcl newsgroup and what
OS you are using, it is more than likely we can tell you how to plug the
security hole. Partictularly from the description you include -- sounds
like it may be a well known coding problem (i.e. not handling user data in a
safe way).

To answer your question, you can pass data either as an argument to the
script on its command line (i.e. when you kick it off) or via an enviornment
variable. In general, if you are having security problems with handling
user supplied data, I'd recommend passing via an enviornment variable (it is
harder to introduce a security hole).

BTW, a properly written CGI script is no less safe than a properly written
PHP script -- you just have to know what you are doing.

comp.lang.php wrote:
> On one of my sites, I have a TCL CGI script that has a security hole
> in spite of it having effective server-side validation (the fact that
> it's CGI IS its security hole). The front end is a PHP script, and I
> am writing server-side validation onto it, however, it is required to
> redirect to the TCL CGI script because only a CGI script has the
> ability to access a group-accessible XML script on the back end.
>
> I had to take the whole thing down because a hacker found a way to
> exploit the TCL CGI script and send in viral DoS-generating data
> packets via simple form text field submissions, somehow even bypassing
> the TCL CGI script's server-side validation.
>
> Hence, that is why I am writing server-side validation on the front-end
> PHP script, which is not CGI, of course.
>
> The only way I could figure out how to make this secure was the concept
> of "key passing", that is, passing a key from the PHP script into a
> $_SESSION variable, then the TCL CGI script must have the same key on
> its end, somehow, in order to expedite further.
>
> Bottom line: I have no clue how to do this. Is there anyone out there
> that knows this stuff and can either give me a quick tutorial or point
> me in the right direction? I have absolutely no idea where to begin,
> nor do I know any other means of ensuring web security.
>
> *NOTE* I cannot destroy the TCL CGI script, because only a CGI script
> can access the group-accessible XML on the back end, so that's not an
> option by any means.
>
> Thanx
> Phil
>

• Next in forum: Re: Key-passing from PHP to TCL CGI script - how is it done (web security issue)?
• Prev in forum: Re: Key-passing from PHP to TCL CGI script - how is it done (web security issue)?
• Thread view: Re: Key-passing from PHP to TCL CGI script - how is it done (web security issue)?

[Reply to this message]