Re: Security risks with CGI

• To: Garrett Burke <gburke@dsg.cs.tcd.ie>, "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
• Subject: Re: Security risks with CGI
• From: cwg@DeepEddy.Com (Chris Garrigues)
• Date: Fri, 3 Mar 1995 13:33:47 -0600
• Cc: www-security@ns2.rutgers.edu

At 2:48 AM 3/3/95, Garrett Burke wrote:

> In message <95Mar2.113753+0900_met.63660-3+9@dxal18.cern.ch>you write:
> >See the UNIX=Haters guide for the best summary of UNIX related risks.
> >
> Are you saying that the problems with CGI scripts, are general UNIX
> problems, and thus can be tackled as such?
> >               Phill H-B

I think Phill's point was that due to the extremely general nature of CGI
scripts, that any security issue related to general Unix scripting apply to
CGI scripts.

If a CGI script has an eval or backquote intowhich an arbitrary shell
command can be inserted, then the user can do anything as the www user.  If
your system also has a security hole which allows a non-root user to modify
or break something, then you have a major risk from your CGI scripts.

A recommendation can certainly be made to run taintperl instead of real
perl, and to carefully vet all scripts *before* putting them on the server,
but if you really want an enumeration of security risks of CGI scripts, you
need to enumerate all security risks of any scripts.  Since a script can
have any command it it, you then need to enumerate all security risks of
all commands.

Chris


Chris Garrigues                                                 cwg@DeepEddy.Com
My pgp public key is on my homepage: http://www.DeepEddy.Com/~cwg/

• Re: Security risks with CGI
• From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
• Re: Security risks with CGI
• From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>

• Previous: Re: Security risks with CGI
• Next: Re: Security risks with CGI
• Index(es):
  • Index
  • Thread