A couple of words about CGI script's security


Forms and CGI scripts' authorization is probably the most important hazard for a web server. In fact CGI script are programs that RUN on your server. The problem is: when a CGI accepts an user input, and that script doesn't check received information, well, those information could become dangerous COMMAND, and the server will run them! So beware of free CGI available on the net. Before install a new CGI script that you don't know, you should check it. Remember these rules:
  1. Check user input
  2. Don't install too big CGI script
  3. Absolutely avoid automatically runtime generated programs
  4. Avoid Unix shell calls

But let's see what kind of hazards come by ill-intentioned users:

  1. Sendmail and Perl
  2. Unix shell calls

Sendmail and Perl

Ok, suppose you develop a CGI script based service, by means of which you allow users to search information inside of a database and receive results via email (for example new books arrived to your bookstore and available for consultation). In order to get your purpose, your script must build this command:

sendmail -t user@address.com </.newentries

The above command send the 'newentries' file to an user specified email address (for example 'user@address.com'). So you build a form with an input field where the user can specify his address. Well, the problem is: if your script doesn't check the user's input, an ill-intentioned user could fill out your form so:

user@address.com </etc/passwd;

What's happen? Well, first of all you have to know something: the passwd file is the most wanted Unix file for ill-intentioned users, in fact it contains all userids and passwords...of all users that have an account on the host where your server is running...So, what's happen? It's simple: the ill-intentioned user is asking to your server: 'please, send the passwd file to my address...thanks...'. But how it's possible? Your script send just some mail to the specified email addresses...Sure, but your script 'reads' the user input and considers it as an email address. The Perl interpreter knows that ';' means end of command, so it understand that it has to perform 2 commands. The original command become:

sendmail -t user@address.com </etc/passwd; </.newentries

And the Perl interpreter will run:

  1. sendmail -t user@address.com </etc/passwd

  2. </.newentries

Obviously the second command will yield an error, but the first one will run!

Unix shell calls

Perl interpreter or even C language, have functions to perform system calls. In other words your script could perform any command by means of some particular functions, such as system(), popen() or eval(). Use the exec Perl function instead of system().

How can I avoid those problems?

Check the user input. You should allow only numbers and letters and place a nice '\' before every 'strange' characters. For example: the '<' symbol allow to redirect output, so is an Unix special character. However if you put a '\' it become just the common less symbol (i.e., it means 'less than'). Avoid 'eval', 'popen()' and 'system()' functions. Don't allow Unix shell calls. Don't install too big CGI script (the bigger a program is the more bugs it contains). Absolutely don't install unknown CGI scripts (check them before). Absolutely avoid automatically runtime generated programs (how can you check something if it doesn't exist yet?).

Index           Home  Back       About  Contact us!

Copyright (c) 1998-2006 Wowarea