Customers have the ability to gather information on Windows web node through perl. Is it safe?

Modified on: Thu, 23 Jan, 2020 at 2:29 AM

Operations Automation

Question

Through perl scripts, end customers can acquire some information on the Windows web hardware node. Is it safe?

Answer

After a thorough investigation by the security team , it was determined, that it is possible to run some commands, but it is allowed to the web user - which is the meaning of CGI, when the user is allowed to run commands. Even if it would be prohibited to run specific command(ipconfig e.g), it would still be possible to gather the same information using pure Perl and Windows-specific modules, e.g.:

http://www.perlmonks.org/?node_id=166645

To restrict Perl completely, it is possible to leave only ASP.NET on the node and remove other scripting packages. You would need to do the following:

In POA PP, go to Deployment Director > Server Manager > <Hardware_node> > Packages,
Remove ActivePerl package,
Access the node, and remove ActivePerl through Win+R > appwiz.cpl.

The same can be done with PHP packages and application.

Internal content

Did you find it helpful? Yes No