Re: CGI security on a shared web server

From: Antonomasia (ant@notatla.demon.co.uk)
Date: 05/28/02 

To: secprog@securityfocus.com
Date: Tue, 28 May 2002 22:26:56 +0100 (BST)
From: ant@notatla.demon.co.uk (Antonomasia)

From: Steffen Dettmer <steffen@dett.de>

> * Kurt Seifried wrote on Thu, May 23, 2002 at 14:05 -0600:
> One possible solution, assuming you need to write the data
> but not read it until later is to encrypt it, generate a
> public/private keypair using pgp/gnupg, load the public key
> onto the server with your app, have it write
> the files after encrypting the data. Thus you can retrieve
> the data (ftp, www, whatever) and then decrypt it at your
> leisure and use it.

> I don't think that this makes things secure. If the web server
> runs as nobody, the CGI script must be executable for nobody. The
> secret key must be reable for nobody. Of course you can protect
  ^^^^^^
I interpreted Kurt's suggestion as meaning only the public key is
available to the CGIs. Collection of generated records (online orders?)
is done by another account on another machine.

> Maybe you should search an ISP that offers i.e. suexec'd CGI
> scripting.

I tend to agree. A book [0] points out that without suEXEC or similar
a buggy CGI might kill the webserver or modify logfiles even if there
are no mutually-hostile CGI authors.

There's nothing to stop you putting -T in your CGI scripts, setuid or not.
If you're feeling ambitious you might jail the CGI and have it talk to
the database or whatever through some sort of IPC application gateway.

0. "Web Servers, Security, & Maintanance", Larson & Stephens, 0-13-022534-7 

--
##############################################################
# Antonomasia   ant notatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################

Relevant Pages

  • dynamic lib ignored even after "found" in "install_driver(Oracle) failed: Cant load..." cgi problem
    ... here's a problem it seems a lot of people are seeing when running a CGI script ... after installing the the sqlplus client on my linux machine (and testing it on the command line, successfully connecting to our oracle db), and then installing the perl moduleneeded to make connections in perl scripts and cgis, i find, like so many others i've seen complain about this, that my cgi script runs fine from the command line, but fails when it is run as a CGI via my machine's apache webserver. ...
    (perl.dbi.users)
  • Re: a short non-working Perl script
    ... and learn the *right* way to write a CGI script in Perl. ... A minor niggle - Perl does not seem to match END_OF_PART2 unless I ... Those four should be in EVERY Perl CGI script you write. ... Get rid of this entire mess and replace with: ...
    (comp.lang.perl.misc)
  • Re: CGI POST problem was: How to read POSTed data
    ... >> how is a multipart POST request parsed by CGIHTTPServer? ... > is passed to the CGI script, which can choose to parse it or not using ... So I have to use that instead of FieldStorage? ...
    (comp.lang.python)
  • RE: Apache, Oracle, Perl DBI Problems
    ... Did you try executing your Perl CGI script from the command line (as ... maybe it's an Apache setup thing rather than a DBI thing. ...
    (perl.dbi.users)
  • Re: How to call an internal CGI subroutine?
    ... > How are subroutines called within a single CGI script? ... > ...etc closing html stuff ... > sub someroutine { ...
    (comp.lang.perl.misc)