Bugtraq mailing list archives

Re: CGI security: Escape newlines.

From: angio () aros net (Dave Andersen)
Date: Mon, 5 Feb 1996 22:46:38 -0700


Lo and behold, Jennifer Myers once said:

There are a good set of security guidelines at:
http://www.cerf.net/~paulp/cgi-security/safe-cgi.txt:

That document recommends removing or escaping the following characters
in user-supplied data before passing it to a shell:

        ;<>*|`&$!#()[]{}:'"/

There is (at least) one character missing from this list: the new line
character.  I have never seen the new line character included in a list
of metacharaters to filter.

[lossy compression]


  Suggested fix:

Very simple.  Add the character \n (the new line character) to the
list of characters to REMOVE from user-supplied data before
suppling it to a shell in a CGI program.


   While there's no doubt that this fix works like a charm for dealing
with this particular hole, it seems to perpetuate one "goof" in the way
CGI scripts handle input data.  There's a very good lesson to be learned
from the adage "deny everything not expressly permitted."

  In this case, I submit that it's a BETTER solution to filter by:

   tr/[^A-Za-z0-9\-\_\$\+\=\~\.\,]//;

 in which case, you know _exactly_ what characters your program will be
processing and you don't have to worry about extraneous cases like
someone dreaming up some flaw in your script where an unexpected control
character will wreak havoc.

   If you're really paranoid, preference it with something to detect
someone screwing around:

   if (/;<>*|`&$!#()[]{}:'"/) {
        &notify_me("Someone tried to hack us from $ENV{"REMOTE_ADDR"}
                    ($ENV{"REMOTE_HOST"})!  Make a note of it.\n";
        &bitch_at_user();
        exit(0);
   }

   and afterwords, do the same "sanitizing" tr to make sure you didn't let
anything slip.

   As an aside, much of this is documented quite well in Paul Phillips'
secure-cgi page which you mentioned above.

    -Dave Andersen

--
angio () aros net                Complete virtual hosting and business-oriented
system administration         Internet services.  (WWW, FTP, email)
http://www.aros.net/          http://www.aros.net/about/virtual/
  "There are only two industries that refer to thier customers as 'users'."

Current thread:

Re: bind() Security Problems Richard Black (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
  - Re: bind() Security Problems General Scirocco (Feb 01)
    - Re: bind() Security Problems Baba Z Buehler (Feb 05)
    - passwd command in AIX 4.1.4 Dave Roberts (Feb 05)
    - Re: passwd command in AIX 4.1.4 Chris Burris (Feb 05)
    - Re: passwd command in AIX 4.1.4 JaDe (Feb 05)
    - CGI security: Escape newlines. Jennifer Myers (Feb 05)
    - Re: CGI security: Escape newlines. Dave Andersen (Feb 05)
    - Re: CGI security: Escape newlines. Fred Cohen (Feb 06)
    - [Fwd: HTTPd 1.5a Security Hole!!! (fwd)] Rogue Agent (Feb 06)
  - abuse Red Hat 2.1 security hole David J Meltzer (Feb 02)
  - resizecons Red Hat 2.1 security hole David J Meltzer (Feb 02)
- Re: bind() Security Problems Casper Dik (Feb 02)
- <Possible follow-ups>
- Re: bind() Security Problems Alan Cox (Feb 01)