Re: free source for bbs

From: Tad McClellan (tadmc_at_augustmail.com)
Date: 04/04/04

Next message: Tad McClellan: "Re: real, simple sample OOP intro text??!!"
Previous message: Geoff Cox: "Re: real, simple sample OOP intro text??!!"
In reply to: Robin: "Re: free source for bbs"
Next in thread: A. Sinan Unur: "Re: free source for bbs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sun, 4 Apr 2004 10:29:53 -0500

Robin <webmaster@infusedlight.net> wrote:

> Well, it hasn't been hacked again in about half a day, I know how they did
> it the first time, fixed that, and I know how they did it the second time
> because my password for the admin script was something easily guessable, but
> the last time must have been done with some sort of exploiter script that
> submitted a lot of stuff through my forms through http.

There are exploits numbers 1, 2 and 3.

Only about a dozen more to go, hang in there until you are shown all
of them!

(or if you can't wait months or years, install an existing message
board that already knows the potential exploits.
)

> Can someone tell me
> a few lines of code I could use in the script - www.infusedlight.net/bbs/
> (download here) that would prevent it from being insecure,

Just in case it is not perfectly clear yet:

That is impossible.

Give up on that idea. Switch to some other idea.

"a few lines of code" and "prevent it from being insecure" should
not appear in the same sentence.

> I know this is
> asking a lot, but I'd like to be able to be running a good, safe, secure
> message board system.

The easy way to do that would be to find an existing message board
that is good, safe and secure.

The very hard way is to write one yourself (and if you do, you will
surely miss some or all of the "target" features listed).

> In any event, I have a feeling that it might be really
> exploited soon now that I have a feature to mail posts to you, hopefully
> that doesn't happen.

<metaphor type="ridiculous extreme">
I have a feeling that my car might be stolen now that I leave it
unlocked with the keys in it.

Hopefully that doesn't happen.
</metaphor>

"Hoping" that a possible exploit is not exploited demonstrates that
you do not yet have the mindset appropriate for considering security.

Arranging things so that the possible exploit is no longer possible
is how you should be thinking.

You need (perhaps a lot) more background before you will be able to do it.

There are lots of rather obvious places to look for more background:

Have you read Perl's standard doc with the title "Perl security"?

perldoc perlsec

Have you seen the Questions that are Asked Frequently regarding
the application area that you are working in?

perldoc -q CGI
Where can I learn about CGI or Web programming in Perl?

What is the correct form of response from a CGI script?

My CGI script runs from the command line but not the browser. (500
Server Error)

How can I get better error messages from a CGI program?

How do I make sure users can't enter values into a form that cause my
CGI script to do bad things?

How do I decode a CGI form?

Besides "Perl security" you will also need to know about "OS security",
"web server security" and "CGI security", so you will need to find
non-Perl security info too.

> I also have a feeling that to get a secure script
> written I'll have to start over from scratch.

Now you're talking!

> I know you're gonna say I
> should abandon programming, but why?

There is no need to abandon programming.

There is a need to abandon offering code to The World that
can damage anyone foolish enough to trust it.

If you insist on putting it where the public can find it, you
are remiss if you don't plaster it with prominent warnings
and caveats.

What you are doing can hurt people. Figure out how to do what
you want without hurting people.

(or at least warning them that they could be hurt.)

_You_ can be exploited as many times as you like. That's up to you.

Spreading your pain to unsuspecting people is what is disreputable.

-- 
    Tad McClellan                          SGML consulting
    tadmc@augustmail.com                   Perl programming
    Fort Worth, Texas

Next message: Tad McClellan: "Re: real, simple sample OOP intro text??!!"
Previous message: Geoff Cox: "Re: real, simple sample OOP intro text??!!"
In reply to: Robin: "Re: free source for bbs"
Next in thread: A. Sinan Unur: "Re: free source for bbs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

[NEWS] User Posting Vulnerability in Nick.com Forums (Nickelodeon)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... When you create a user and log in to their message board system (powered ... This does not work too well with window ...
(Securiteam)
login problems with windows 2k
... I have been having problems logging onto a message board. ... At first I thought it was a security problem with Internet ... I am beginning to wonder if it is a Service Pack 3 issue, ...
(microsoft.public.win2000.security)
Re: submitting text for use in a mysql database
... > Depending on the system also depends who gets hurt in the cross-fire.. ... Microsoft invests billions of dollars in security, ... want to do is fix the biggest ones and slowly make it better over time. ... You can't run before you can walk, so I want to learn to walk first, that is ...
(comp.lang.php)
RE: [fw-wiz] The home user problem returns
... idiot clicking attachments can infect 10,000 other idiots a day ... >that institute end-user security training. ... >have no opportunity to hurt themselves. ... It uses Zen4 to render anything you get. ...
(Firewall-Wizards)
Re: loing as root user
... At the very moment I do not care about security at all, ... So let me just try, I will get hurt, and then won't use this feature ... Is would be a violation of "Linux is very flexible" rule if there is ...
(alt.os.linux)