-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 4 Mar 2001, Franklin DeMatto wrote:

> (Recently, after I informed the maker of a very popular CGI about a
> vulnerability in it, I was told "That's impossible!!! We check the
> HTTP_REFERER field!" Netcat, anyone? <I guess they don't teach that in
> CS school. . . > )

        Heh. That's an old trick I always enjoy pulling. Nothing like
visiting a friend's site and tossing in the HTTP_REFERER as something like
http://www.fbi.gov/current/list_of_people_to_raid.html. ;)

> - Allowing creation of (semi-)arbitrary files on server
> Many CGI's can be used by attackers to create files on the server which
> they need in order to take advantage of other holes. Be restrictive in the
> type of files that your CGI creates - the more specific the format, the
> harder it will be for an attacker to make use of.

        CGIs typically run nobody:other, so if someone can create files,
then it's not just a CGI problem, but a permissions problem (too many
world-writable areas).

> My question for the list is as follows: What did I miss? Most of the
> real damage in my list can be eliminated with just a few lines of extra
> code - the major problem being that most CGI programmers don't
> know/care. But I'm sure there are some other problems, harder to
> exploit but harder for the programmer to avoid as well, that are out
> there. Anyone . . . ?

        I didn't see any reference to using PERL taint mode (-T). That
can be a skin-saver at best, a real security educator at worst. Use of
taint mode alone covers a *lot* of poor coding practices. As a rule, I
don't let anything into a cgi-bin directory that doesn't run with -T.
For the truly paranoid (show of hands here), I also recommend crafting the
script to independently log the variables passed to it. While Apache does
do proper logging, it never hurts to have another file by which to compare
what's getting logged for POST and GET requests.

        I'd also encourage folks to utilize Apache in a chrooted
environment, which can limit what damage can be done by CGI exploits.

- -Jay

   ( ______
   )) .--- "There's always time for a good cup of coffee" ---. >===<--.
 C|~~| (>-------- Jay D. Dyson -- jdysontreachery.net --------<) | = |-'
  `--' `There are fates worse than death; most are my hobbies.' `-----'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBOst1K9CClfiU/BIVAQEaSAQAkCfYPLvHcA08arVANZe11tOrmG0q0J9B
FAfrx5XcKi4YY0wGSKqW0AsDjZ7i9HOC1A10m+umi1GgXcOwQN7I1W+a9snT5IDS
KbijNfRTZfwrDKo2YubRQpwS6hle4Ck/RWKS5QL7/Fs/GV2rKhYGcW606/FkOf/X
8lwl84X9W/8=
=bt/l
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]