Search This Blog

Monday, May 07, 2012

Perl Diver 2.33: Download and Installation


If you write—or need to maintain—Perl scripts, it can be incredibly helpful to have a way to print out all your environmental variables, installed modules, and the like, much like PHP's phpinfo().

Up until 2006, a site called ScriptSolutions.com—no longer in service—offered a free program you could install called Perl Diver. Version 2 of the script offered a lot of extra functionality. The last version of the script to be released was 2.33, which fixed an exploitable hole in the module parameter for versions 2.x prior to this release.

The bottom line is that Perl Diver is still an excellent tool, and it's a shame to see the fixed version leave the public realm with no place to download.


Download, Basic Installation:

After searching everywhere for a copy, I finally secured one, and am again offering the script to the public.

If you have git access, obtaining a copy from GitHub is as simple as:
# as ssh
git clone git://github.com/mrrena/perldiver
# as https
git clone https://github.com/mrrena/perldiver
Otherwise, download a copy of the perldiver zip. Installation should be a matter of unzipping the contents of this file wherever you keep your Perl scripts.

If you do not have git access (file permissions are automatically retained in git), you will also need to give the script execution permission, either using the following command:
chmod +x perldiver.pl
Or via an FTP program like FileZilla, setting perldiver.pl to "755": refer to this blog post if you don't know how to do that.

If you need to change the extension to .cgi, you will also need to change the file name in perldiver.conf:
# only if you change the file extension to "cgi"
'script_name'      => 'perldiver.cgi',

Hide From Search Engines:

To keep the search engines from indexing the page in their results—you probably don't want to broadcast your server's environmental variables to the entire world—you should also create an entry in your robots.txt file.

If you don't have one already, create a plain text file and enter the following lines (assuming that the directory in which you're including Perl Diver is cgi-bin):
User-agent: *
Disallow: cgi-bin/perldiver
Save your file with the name robots.txt, and then upload this file to your web server's root directory.

All paths specified in the file are relative to root; you can check your file at this link or, if you have a free account, you can use Google's Webmaster Tools for the same. For more info on robots.txt files, see Google's Block or remove pages using a robots.txt file.

Password Protecting:

It's also a really good idea that you keep the script from hackers manually fishing for info. Perl Diver is used on a lot of websites, and hackers have learned to look for unprotected copies. You can avoid this type of hack by password protecting the perldiver directory. Assuming that you use Apache, directions follow.

You will need to replace Apache's example username rbowen below with the username used when you access scripts from your site via http / https. Here is the relevant excerpt from Apache's Authentication, Authorization and Access Control page:

Getting it working

Here's the basics of password protecting a directory on your server.

You'll need to create a password file. This file should be placed somewhere not accessible from the web. This is so that folks cannot download the password file. For example, if your documents are served out of /usr/local/apache/htdocs you might want to put the password file(s) in /usr/local/apache/passwd.

To create the file, use the htpasswd utility that came with Apache. This will be located in the bin directory of wherever you installed Apache. To create the file, type:
htpasswd -c /usr/local/apache/passwd/passwords rbowen
htpasswd will ask you for the password, and then ask you to type it again to confirm it:
$ htpasswd -c /usr/local/apache/passwd/passwords rbowen
New password: mypassword
Re-type new password: mypassword
Adding password for user rbowen
If htpasswd is not in your path, of course you'll have to type the full path to the file to get it to run. On my server, it's located at /usr/local/apache/bin/htpasswd

Next, you'll need to configure the server to request a password and tell the server which users are allowed access. You can do this either by editing the httpd.conf file or using an .htaccess file. For example, if you wish to protect the directory /usr/local/apache/htdocs/secret, you can use the following directives, either placed in the file /usr/local/apache/htdocs/secret/.htaccess, or placed in httpd.conf inside a <Directory /usr/local/apache/apache/htdocs/secret> section.
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen
For additional details, see the full Apache manual page.

No comments:

Post a Comment