Perl files getting accessed directly
Perl files getting accessed directly
(OP)
Hello. I just registered. I just wanna tell somebody about a nuisance/problem with my perl script on my webserver which I finally got fixed. For those who really know perl this is gonna be boring probably - but maybe this can help other newbees with same problem.
I have a "feedback page" - u can put in name/webadress/comment in the fields in an html-form page. Which sends the info to a perl script. (which sends that input to another html-page)
Now - if I look at the webserver log file, bots/programs probably sniff out .pl files (?) and accesses them directly - like "https://servername.com/filename.pl"
This happened. Not very frequently - but often. So when I went a html-page (on my webserver) with the results of the feedback-page there would be some EMPTY posts.
Now - this was not the end of the world but it still nagged me. Is there a fix? Yes.
This line:
if(defined $cgi->param('navn')){
As long as that line was before the argument - NO NEW ENTRY was created.
('navn' refers to the scalar name)
IF someone (like me - I tested it) DID write the exact location of the .pl file in a browser - one would just get an "Internal server error" - which I wanted - but before I added the line - the script would create an empty post in the html page.
NO EMPTY POSTS have been added since I inlcuded that line in the script !
This is my script:
------------------------
#!C:\Perl64\site\bin\perl.exe
use strict;
use warnings;
use HTML::Entities;
use CGI;
use Time::Piece;
my $cgi = CGI->new();
my $dato = localtime->strftime('%d-%m-%Y');
my $navn = $cgi->param('navn');
my $kommentar = $cgi->param('kommentar');
my $navn = encode_entities($navn, '<>&"');
my $kommentar = encode_entities($kommentar, '<>&"');
open(my $fh, '>>', 'skryt.html');
if(defined $cgi->param('navn')){
print "Content-type:text/html\r\n\r\n";
print $fh "<HR color=#008000 SIZE=2>\n Navn: <b>$navn</b> Kommentar: <b>$kommentar</b> Dato: $dato";
print "<html><head><meta http-equiv = 'refresh' content = '0; url = skryt.html' /></head>";}
else {(die)}
close $fh;
------------------------
Probably an "off beat" problem but should be known.
Any security issues?
My webserver:
Old Windows 10 PC
webserver program: hiawatha https://www.hiawatha-webserver.org/
cgi enabled
website: https://helledussen.com (in norwegian - sorry) (to view english example script/html form https://helledussen.com/limbomusic/eng-fanreg.html )
Music: https://helledussen.com/groove2/stoned.html
Or search for Limbomusic on utube.
Cheers.
I have a "feedback page" - u can put in name/webadress/comment in the fields in an html-form page. Which sends the info to a perl script. (which sends that input to another html-page)
Now - if I look at the webserver log file, bots/programs probably sniff out .pl files (?) and accesses them directly - like "https://servername.com/filename.pl"
This happened. Not very frequently - but often. So when I went a html-page (on my webserver) with the results of the feedback-page there would be some EMPTY posts.
Now - this was not the end of the world but it still nagged me. Is there a fix? Yes.
This line:
if(defined $cgi->param('navn')){
As long as that line was before the argument - NO NEW ENTRY was created.
('navn' refers to the scalar name)
IF someone (like me - I tested it) DID write the exact location of the .pl file in a browser - one would just get an "Internal server error" - which I wanted - but before I added the line - the script would create an empty post in the html page.
NO EMPTY POSTS have been added since I inlcuded that line in the script !
This is my script:
------------------------
#!C:\Perl64\site\bin\perl.exe
use strict;
use warnings;
use HTML::Entities;
use CGI;
use Time::Piece;
my $cgi = CGI->new();
my $dato = localtime->strftime('%d-%m-%Y');
my $navn = $cgi->param('navn');
my $kommentar = $cgi->param('kommentar');
my $navn = encode_entities($navn, '<>&"');
my $kommentar = encode_entities($kommentar, '<>&"');
open(my $fh, '>>', 'skryt.html');
if(defined $cgi->param('navn')){
print "Content-type:text/html\r\n\r\n";
print $fh "<HR color=#008000 SIZE=2>\n Navn: <b>$navn</b> Kommentar: <b>$kommentar</b> Dato: $dato";
print "<html><head><meta http-equiv = 'refresh' content = '0; url = skryt.html' /></head>";}
else {(die)}
close $fh;
------------------------
Probably an "off beat" problem but should be known.
Any security issues?
My webserver:
Old Windows 10 PC
webserver program: hiawatha https://www.hiawatha-webserver.org/
cgi enabled
website: https://helledussen.com (in norwegian - sorry) (to view english example script/html form https://helledussen.com/limbomusic/eng-fanreg.html )
Music: https://helledussen.com/groove2/stoned.html
Or search for Limbomusic on utube.
Cheers.
Talk To Other Members