|
Posted by comp.lang.php on 11/16/49 11:28
On one of my sites, I have a TCL CGI script that has a security hole
in spite of it having effective server-side validation (the fact that
it's CGI IS its security hole). The front end is a PHP script, and I
am writing server-side validation onto it, however, it is required to
redirect to the TCL CGI script because only a CGI script has the
ability to access a group-accessible XML script on the back end.
I had to take the whole thing down because a hacker found a way to
exploit the TCL CGI script and send in viral DoS-generating data
packets via simple form text field submissions, somehow even bypassing
the TCL CGI script's server-side validation.
Hence, that is why I am writing server-side validation on the front-end
PHP script, which is not CGI, of course.
The only way I could figure out how to make this secure was the concept
of "key passing", that is, passing a key from the PHP script into a
$_SESSION variable, then the TCL CGI script must have the same key on
its end, somehow, in order to expedite further.
Bottom line: I have no clue how to do this. Is there anyone out there
that knows this stuff and can either give me a quick tutorial or point
me in the right direction? I have absolutely no idea where to begin,
nor do I know any other means of ensuring web security.
*NOTE* I cannot destroy the TCL CGI script, because only a CGI script
can access the group-accessible XML on the back end, so that's not an
option by any means.
Thanx
Phil
[Back to original message]
|