Hi Everybody,

I was wondering if it was possible for someone to gain access to my Perl CGI scripts before they are interpreted by Perl (mod_perl on apache2) i.e. getting a hold of my raw scripts and not the html output?

Let's say I use the DBI module where I have the hostname, user and password stored in my CGI script (currently I store these parameters in another file and the user only has select privileges anyway), is there a way to prevent someone from getting the script as it is (if it is possible)?

Many thanks,

Dave

Usually, no.
But generally, 3 ways come to mind:

• If the HTTP server is configured wrong and doesn't recognize the scripts as executables, and serves the content instead
• If another application on the same server is vulnerable to relative path errors, eg instead of calling /xyz/abc.html the attacker can call /xyz/../../cgi-bin/script.pl
• If you've got a script that uses templates with variables passed through POST. Those could be set also via GET and potentially serve content you wanted hidden

Thank you very much for your reply pludi.

>If the HTTP server is configured wrong and doesn't recognize the scripts as executables, and serves the content instead

I guess this isn't a problem, since http://domain/script.pl executes.

>If another application on the same server is vulnerable to relative path errors, eg instead of calling /xyz/cgi-bin/script.pl

Could you give me an example of such an application?

>If you've got a script that uses templates with variables passed through POST. Those could be set also via GET and potentially serve content you wanted hidden

I'll keep this in mind when I'm building forms and passing variables.

Thanks again,

Dave