OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Cantrell (dcantrellKOKUACOM.COM)
Date: Thu Apr 05 2001 - 10:36:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Sun, Mar 04, 2001 at 11:18:30AM -0500, Franklin DeMatto wrote:

    > I'm doing some research on Perl CGI vulnerabilities. Most Perl CGI's seems
    > to have some weaknesses, and it's just a matter of manipulating them
    > properly to make a proper exploit.

    None of the vulnerabilities you point out are perl-specific.

    > By far, the biggest problem is weak (or even no) filtering of form
    > fields. It only takes one line (s/\W+//g), yet this is rarely done properly.

    That naive search n' destroy would break many perfectly legitimate pieces
    of data. For example, post codes (TN39 4AA would be turned into TN394AA
    and not recognised by the post office) and street addresses.

    > Other problems include:
    >
    > - Not filtering cookies.
    > Very often, CGI's filter fields, but don't realize that cookies must also
    > be filtered for evil characters.

    There's no such thing as an evil character. There are evil strings of
    characters used inappropriately.

    > - Allowing creation of (semi-)arbitrary files on server
    > Many CGI's can be used by attackers to create files on the server which
    > they need in order to take advantage of other holes. Be restrictive in the
    > type of files that your CGI creates - the more specific the format, the
    > harder it will be for an attacker to make use of.

    Or even better, be really paranoid about:
      checking the form to make sure you really should create a file;
      checking the form to see what to put in the file;

    or better still, don't create files at all. Use a database. That way,
    whilst an attacker may still be able to get arbitrary data into your
    storage if you fail to parse the form data correctly, at least it will
    not be possible for an attacker to put their own executables and the
    like into your filesystem.

    > My question for the list is as follows: What did I miss? Most of the real
    > damage in my list can be eliminated with just a few lines of extra code -
    > the major problem being that most CGI programmers don't know/care.

    It ain't just CGI programmers who don't care about security :-) 

    --
David Cantrell | dcantrellkokuacom.com | http://www.kokuacom.com