OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] Securing cgi's
From: Thomas Biege (thomassuse.de)
Date: Mon Dec 18 2000 - 07:13:45 CST


> Now I want to protect my CGI. Basically it only takes two strings:
> one which only contains numbers and other more generic (it can contain
> ";,|<>"... etc). I want to correctly (=secure) parse the variables

these chars interact with the shell, that's bad.
so, don't use shell scripting for your CGI
if you use perl or C, then avoid using
- eval()
- $()
- `` Backticks
- system()
- popen()
- open()
- <> (perl file globbing)
- glob() (perl)
and everything else, that uses the shell.

I hope, that I didn't missed something. :-)

Bye,
     Thomas

--
  Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  Email: thomassuse.de      Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
   Key fingerprint = 09 48 F2 FD 81 F7 E7 98  6D C7 36 F1 96 6A 12 47

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com