Vulnerability Development mailing list archives

Re: CGI insecurities

From: admin () SUPERDUPS COM (Bill Gilpatric)
Date: Tue, 25 Jan 2000 12:21:50 -0500

What about the defense side of things. If you were to allow only
alphanumberic and selected punctuation characters. i.e. ! . and ?
(exclamation, period and question mark) have you removed the possibility
of creating commands that could be executed?

Mainly I am looking for a rule that would disable any kind of execution
by striping any unacceptable characters from strings sent to the cgi
prior to passing these values on. Is this feasible? What character set
could be considered safe? If this preprocessing step also looked at
string length, is there any room left for exploitation?

Any binary or platform may be referenced in responses. I'm looking for a
generalized rule.

http://www.phrack.com/search.phtml?view&article=p55-7

thats a good article about which characters to strip...it's focus is perl,
but it's applicable to any cgi thats going to be calling another program
with insecure arguments

-Bill

Current thread:

Re: CGI insecurities Dino Dai Zovi (Jan 23)
- <Possible follow-ups>
- Re: CGI insecurities Brooke, O'Neil (Jan 24)
  - Re: CGI insecurities Bill Gilpatric (Jan 25)
- Re: CGI insecurities rain forest puppy (Jan 25)
  - Re: CGI insecurities john (Jan 27)
  - File Share Vacuum Jonas Denily (Jan 27)
    - Re: File Share Vacuum Blue Boar (Jan 27)
    - Re: File Share Vacuum Bjør (Jan 28)
    - Re: File Share Vacuum Dimitry Andric (Jan 30)