Re: CGI security on a shared web server (fwd)

From: Lee E. Brotzman (leb@gmss.com)
Date: 05/25/02


To: secprog@securityfocus.com
Date: Sat, 25 May 2002 11:20:32 -0400
From: "Lee E. Brotzman" <leb@gmss.com>

On Fri, 24 May 2002 18:38:42 BST, Glynn Clements said:
> I don't know about other Unices, but Linux deliberately doesn't
> support setuid scripts (a wise move, IMHO). Perl attempts to
> re-introduce the problem via the setuid "suidperl" binary, but many
> sysadmins will disable that (again, a wise move, IMHO).

Sorry, that was bad nomenclature on my part. When I say "CGI script" I really
mean "CGI program". I guess I'm just old school and they've always been "CGI
scripts" to me, even though I've never written a shell script for CGI.

I write almost all my CGI in Perl and indeed the setuid Perl scripts are run by
suidperl. This gives me the "taint" feature whereby I must untaint any user
input -- a good feature, but certainly no cure-all. You can always untaint
anything by just matching it to the regexp "/^.*$/". For a client, I developed
an Untaint library that has regexps for checking phone numbers, file names
(only allowing alphanumerics and decimals), file paths (checking that all
directories in the path exist and are readable), 7-bit clean, and other special
cases -- even the "match anything" test (I call that method
Untaint::StillNotSafe).

Note that if you use suEXEC to invoke a setuid Perl script, you will lose the
tainted-data feature. Another reason I don't like suEXEC. I'd prefer the
script bombs if I try to use untested external data.

-- 
-- Lee E. Brotzman                    E-mail: leb@gmss.com
-- Allied Technology Group            Phone : 814-861-5028



Relevant Pages

  • Re: Key-passing from PHP to TCL CGI script - how is it done (web security issue)?
    ... TCL v.8.3 ... set hasEnteredTrivia 0 ... # NEW 8/7/2004 USE PHP (AS CGI) TO CHECK IF USER IS ATTEMPTING TO ENTER ... # USE REMOTE PHP SCRIPT TO CHECK FOR REPOSTING ...
    (comp.lang.tcl)
  • Re: Help with a stragegy for diagnosis
    ... I have a Perl CGI that has work for years. ... first failure and before the second. ... A strategy would be to write tests for the script until you get the same ...
    (comp.lang.perl.moderated)
  • Re: Thomas The Tank
    ... We've just started to let our son watch the Simpsons but are very ... CGI appear to depend more on dancing images ... then am even more impressed by Star Wars, some films would have depended on those expensive effects and left it at that, but these have a good script as well. ... If you want to watch films with no CGI, good effects and wonderful scripts then I would recommend Wallace and Gromit. ...
    (uk.rec.models.rail)
  • Re: Changing Passwords through the web (fwd)
    ... I use a CGI script that uses the poppassd and python ports on my small ... alert; ...
    (FreeBSD-Security)
  • Re: Recommend PHP-Based Dashboard?
    ... and this is to illicite a response from php developers in a php usenet group trying to foster some kind of fear in us all that you may change your mind and go java or windows or mac? ... as i run true cgi scripts from the cgi exe *all the time* from the command-line, i assure you that you're wrong. ... the above explicitly states that i must use a feature of cgi in order to be considered a cgi script. ...
    (comp.lang.php)