Bugtraq mailing list archives
Re: Guidelines for cgi-bin scripts
From: angio () aros net (Dave Andersen)
Date: Tue, 8 Aug 1995 15:32:50 -0600
Lo and behold, Lee Silverman once said:
For example, if someone gave you a cgi-bin script and asked you to tell them if it was going to cause any security holes, what would you look for?
Check for any use of the system() call, or an open() which allows user inputtable data. So if you're letting them select a filename, or finger, or anything similar, be paranoid. This can be avoided easily in perl with the open(BLAH, "-|") || exec 'command', 'arg1', 'arg2'; syntax, or in C by using your own fork/exec instead of just system'ing. With shell scripts, it applies to all commands and things like finger_info=`finger $username` . If you're going to use this syntax, you'd best sanitize the daylights out of the user accepted data. :) The other security concerns are in scripts/programs which are suid and rely upon environment variables.. it's crucial that you prevent a user from executing it on their own with their own environment variables. Perl is nice that way, in that it deems all environment variables "tainted" unless you sanitize them, but common sense is still pretty necessary. Other little things: Make sure your data structures can't be overrun by an incredibly large amount of data. Most of the time you'll just crash, but someone could get clever, I suppose. Ahh.. *shrugs* -Dave Andersen --- angio () aros net system administration Blah blah, my opinions are my own, etc.
Current thread:
- SECURITY HOLE: FormMail Paul Phillips (Aug 02)
- followup: local mail delivery der Mouse (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 03)
- PERL (was: Re: SECURITY HOLE: FormMail) VaX#n8 (Aug 07)
- Re: PERL (was: Re: SECURITY HOLE: FormMail) Philip Guenther (Aug 07)
- Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
- Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
- Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- <Possible follow-ups>
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
- More holes, was: Re: SECURITY HOLE: FormMail Ivo (Aug 05)
- My email handler, ~ escapes, etc. Tom (Aug 05)
- Simple CGI email handler, fixed Tom (Aug 05)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 04)
- Re: SECURITY HOLE: FormMail Jukka Ukkonen (Aug 07)