Re: Key-passing from PHP to TCL CGI script - how is it done (web security issue)?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.lang.php archive

Re: Key-passing from PHP to TCL CGI script - how is it done (web security issue)?

From: comp.lang.php <phillip.s.powell@gmail.com>
Date: Thu Oct 06 2005 - 16:19:47 CEST



Unfortunately that is not the case.  The provider does not allow


storage outside of the docroot, else, that would of course solve


everything as all of the TCL scripts would work outside of the docroot


in that case.



I did manage to add one extra line of security as a measure:



..


} elseif {[string length $firstname] > 75 || [string length $lastname]


> 75} {


 # HANDLE


}


..



Phil



Steve wrote:


> > It would function, yes, but I don't see how that would offer any form


> > of protection as the hacker would still have access to the TCL CGI


> > script with his/her original HTML cached page.  I guess I am unclear as


> > to how this would tighten things up.


>


> It depends on whether your setup allows you to store files in


> directories other than your web root folder and below.


>


> If the TCL script can be stored and executed outside of your web


> there's no direct access to it from a browser.


>


> For instance, my host has a fairly common setup where the web root


> folder is


>


> /home/steve/web/


>


> but I can create folders in /home/steve that are outside the web.


> 


> 


> ---


> Steve


Received on Tue Oct 18 02:32:43 2005