Bugtraq mailing list archives
Re: Guidelines for cgi-bin scripts
From: cwe () Csli Stanford EDU (Christian Wettergren)
Date: Wed, 9 Aug 1995 00:44:01 -0700
| Lo and behold, Lee Silverman once said: | | > For example, if someone gave you a cgi-bin script and asked you to tell | > them if it was going to cause any security holes, what would you look for? I would also look to interaction with unknown - complex - programs. This may sound too unspecific, but I would be skeptical about large things like database engines, or untested things like a new fancy "do-x-and-our-web-site-will-be-famous" thing. These are usually either too large and complex to controll even if you are determined or untested prototypes with lots of bugs in them. I would also like to pin-point another category of suspicious programs - viewers of any kind. These are almost never written with security in mind, since the author is usually only interested in depicting the data in as nice a way as possible. The input data is always considered "friendly input". (This is of course different when we talk about highly networked viewers like the web ones.) (The newest versions of xv (3.10, I believe) actually executes postscript files without the -SAFER switch. So by sending a postscript file from an web-server but specifying it as a image/tiff or whatever, you are actually able to do nasty things.) Also, don't entirely discount the risk of "contamination" based on more passive methods like being able to place a certain file in a certain place that will trigger somthing later on based on the user's actions separate from the Web thing. Like being able to put some strange dot files somewhere, changing some defaults. Something under .hotjava/execute-me-automatically:-)) /Christian
Current thread:
- SECURITY HOLE: FormMail Paul Phillips (Aug 02)
- followup: local mail delivery der Mouse (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 03)
- PERL (was: Re: SECURITY HOLE: FormMail) VaX#n8 (Aug 07)
- Re: PERL (was: Re: SECURITY HOLE: FormMail) Philip Guenther (Aug 07)
- Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
- Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
- Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- <Possible follow-ups>
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
- More holes, was: Re: SECURITY HOLE: FormMail Ivo (Aug 05)
- My email handler, ~ escapes, etc. Tom (Aug 05)
- Simple CGI email handler, fixed Tom (Aug 05)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 04)
- Re: SECURITY HOLE: FormMail Jukka Ukkonen (Aug 07)