Password Protection Can Be Bypassed

[megp]

Greetings,

I have a CGI script (in rudimentary Perl) that takes login name and password data, compares it to a database, and if it matches, prints one page, if no match, redirects back to the login page with an error message. This all works fine.

My problem is that if one enters the location of the CGI script in the address bar, he is admitted through without a login name and password. I'm missing the component that tests to see if there is any incoming data to begin with, then redirects back to the login page if not. Please help.

#!/usr/bin/perl
#Line above gives path to Perl interpreter
require "cgi-lib.pl";

#Read incoming data into an array and set content type
&ReadParse;
print &PrintHeader;

#Set default test results to no match
$match="no";

#Open user database in read-only mode
open(FILE,"cmaa.txt") || die "Can't find database\n";
#Store contents of database in an array
@indata = <FILE>;
#Close database
close(FILE);

#Extract each record from the @indata array
foreach $i (@indata)
{
#Remove hard return
chomp($i);
#Assign names to variables
($fname,$lname,$co,$add,$city,$st,$zip,$tele,$email,$pwd1,$pwd2) = split(/\|/,$i);
#Compare login data to array
if ($fname=~/$in{'fname'}/i && $lname=~/$in{'lname'}/i && $pwd1=~/$in{'pwd'}/i)
{
$match="yes";
# Print personalized CMAA page

Obviously, there's more, but I believe the necessary piece would fit in here somewhere. Actual page is at

http://www.sponsorlogic.com/cgi-bin/cmaalogin.cgi;

login page is at

http://www.sponsorlogic.com/NewTest/cmaa.html.

Thanks so much!
Meghan

 

[KevinADC]

Stop! Do not proceed with your current code unless you are bound by some strange limitations. cgi-lib is ancient and should no longer be used unless your using some ancient installation of perl. Use CGI instead. You should also start using "srict".

Most likely, the problem with your code is that you have not validated the user input before checking it against the file. Also you are using partial matching (sub string match) in you regexp instead of matching the entire string. Add string anchors /^$string$/:

if ($fname=~/^$in{'fname'}$/i && $lname=~/^$in{'lname'}$/i && $pwd1=~/$in{'pwd'}/i)

------------------------------------------
- Kevin, perl coder unexceptional!

 

[megp]

Okay, Kevin,

I've obtained CGI.pm (v3.25). I'm going to go see what I can figure out, but I may be back with more questions... I'm sure I'll thank you for the kick in the butt later

Meghan

 

[travs69]

But come on.. everyone loves cgi-lib

 

[feherke]

Hi

Add string anchors /^$string$/

Good advice, but you could continue with quoting : [tt]/^[red]\Q[/red]$string[red]\E[/red]$/[/tt] . Otherwise if someone's password is for example .* , then anything is accepted as password.

Feherke.

http://rootshell.be/~feherke/

 

[Kirsle]

Or just quotemeta the string, which escapes all non-alphanumeric characters.

$string = '.*';
$string = quotemeta($string); # \.\*

if ($pwd1 =~ /^$string$/

-------------
Cuvou.com | The NEW Kirsle.net

 

[KevinADC]

Good advice, but you could continue with quoting : /^\Q$string\E$/ . Otherwise if someone's password is for example .* , then anything is accepted as password.

that is also good advice, hopefully passwords/names are only allowed to be alpha-numeric to begin it, but if not, \Q that sucka!

------------------------------------------
- Kevin, perl coder unexceptional!

 

[ishnid]

. . . or just use "eq" to compare the strings. Why use a regexp at all?

 

[KevinADC]

or just use "eq" to compare the strings. Why use a regexp at all?

party pooper





------------------------------------------
- Kevin, perl coder unexceptional!