OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [suse-security] Securing cgi's
From: RoMaN SoFt / LLFB!! (romanmadrid.com)
Date: Mon Dec 18 2000 - 06:39:11 CST

 Hello.

 I've written a little cgi and installed on a SuSE box. Apache was
disabled. I restarted in, rename htdocs to htdocs_suse (yes, it's
possible to change the htdocs dir from httpd.conf but I prefer the
former procedure) and created my own htdocs dir. Then I did the same
for cgi-bin dir (which contened test scripts, php included; and
perhaps may be abused with the latest php xploit. Not checked for it),
I mean, I cleaned cgi-bin at all and copy my cgi program there.

 I think machine is secure now, isn't it? (Original SuSE 6.4 with
above described changes).

 Now I want to protect my CGI. Basically it only takes two strings:
one which only contains numbers and other more generic (it can contain
";,|<>"... etc). I want to correctly (=secure) parse the variables
before using it.

 Which would be the correct regexps?

 The next article:
http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=4
points to several ideas. But I suppose it could miss some common
checks...

 I prefer hearing from you. :-) Thx!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    ** RoMaN SoFt / LLFB **
       romanmadrid.com
   http://pagina.de/romansoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com