Bugtraq mailing list archives
Re: CGI security: Escape newlines.
From: angio () aros net (Dave Andersen)
Date: Mon, 5 Feb 1996 22:46:38 -0700
Lo and behold, Jennifer Myers once said:
There are a good set of security guidelines at: http://www.cerf.net/~paulp/cgi-security/safe-cgi.txt: That document recommends removing or escaping the following characters in user-supplied data before passing it to a shell: ;<>*|`&$!#()[]{}:'"/ There is (at least) one character missing from this list: the new line character. I have never seen the new line character included in a list of metacharaters to filter. [lossy compression]
Suggested fix:
Very simple. Add the character \n (the new line character) to the list of characters to REMOVE from user-supplied data before suppling it to a shell in a CGI program.
While there's no doubt that this fix works like a charm for dealing with this particular hole, it seems to perpetuate one "goof" in the way CGI scripts handle input data. There's a very good lesson to be learned from the adage "deny everything not expressly permitted." In this case, I submit that it's a BETTER solution to filter by: tr/[^A-Za-z0-9\-\_\$\+\=\~\.\,]//; in which case, you know _exactly_ what characters your program will be processing and you don't have to worry about extraneous cases like someone dreaming up some flaw in your script where an unexpected control character will wreak havoc. If you're really paranoid, preference it with something to detect someone screwing around: if (/;<>*|`&$!#()[]{}:'"/) { ¬ify_me("Someone tried to hack us from $ENV{"REMOTE_ADDR"} ($ENV{"REMOTE_HOST"})! Make a note of it.\n"; &bitch_at_user(); exit(0); } and afterwords, do the same "sanitizing" tr to make sure you didn't let anything slip. As an aside, much of this is documented quite well in Paul Phillips' secure-cgi page which you mentioned above. -Dave Andersen -- angio () aros net Complete virtual hosting and business-oriented system administration Internet services. (WWW, FTP, email) http://www.aros.net/ http://www.aros.net/about/virtual/ "There are only two industries that refer to thier customers as 'users'."
Current thread:
- Re: bind() Security Problems Richard Black (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems Baba Z Buehler (Feb 05)
- passwd command in AIX 4.1.4 Dave Roberts (Feb 05)
- Re: passwd command in AIX 4.1.4 Chris Burris (Feb 05)
- Re: passwd command in AIX 4.1.4 JaDe (Feb 05)
- CGI security: Escape newlines. Jennifer Myers (Feb 05)
- Re: CGI security: Escape newlines. Dave Andersen (Feb 05)
- Re: CGI security: Escape newlines. Fred Cohen (Feb 06)
- [Fwd: HTTPd 1.5a Security Hole!!! (fwd)] Rogue Agent (Feb 06)
- Re: bind() Security Problems General Scirocco (Feb 01)
- Re: bind() Security Problems dsiebert () icaen uiowa edu (Feb 01)
- abuse Red Hat 2.1 security hole David J Meltzer (Feb 02)
- resizecons Red Hat 2.1 security hole David J Meltzer (Feb 02)
- <Possible follow-ups>
- Re: bind() Security Problems Alan Cox (Feb 01)