RE: cgi communication

• To: "'wwwsecurity'" <www-security@ns2.rutgers.edu>
• Subject: RE: cgi communication
• From: "Schramm, Rich" <schrammr@nasd.com>
• Date: Thu, 07 Dec 95 09:05:00 PST

This falls more into the comp.infosystems.www.authoring.cgi arena, but
the security aspect of your question is pertinent.  I have also
encountered this problem, and have been able to work around it, though no   
    

solution I have seems.  The basic problem that you describe is making
sure one program is not called alone, but only by the first program.  A   
    

couple things:

1. Hidden form elements aren't much help, because the html doc source can   
    

be displayed and the form elements seen for easy spoofing.

2. Netscape issues that warning because of the way your browser is
configured.  By default, it tells you when you are sending form traffic   
    

across a network without encryption (SSL, SHTTP, etc.) so that if you are   
    

sending credit card numbers you know the possibility exists for
interception of your data in "clear" format.

One possible solution is for you to write individual forms on the fly
with a script, each with a random key input field.  In essence:

1. When people want your first form, they click a link that launches a
script.
2. When executed, the script generates a random number, creates an empty   
    

lock file with the random number in a special, set-aside directory like   
    

/lockfiles (example: /lockfiles/23432142212.lock.txt) and then writes
back a form, with a hidden form element:
<input name=lockkey type=hidden value="23432142212">
and then rest of the form.
3. The user fills out the form and clicks submit.
4. The form data is sent to script2.  Script2 receives the value for
lockkey adds /lockfiles/ to the beginning and .lock.txt to the end
(further security enhancement, for what it is worth) and checks to make   
    

sure it is in that directory.  If it is, it removes the file and
executes.  If it is not, then tells the user the file must be executed
from the previous form.

In this manner, only script1 can create the file that script 2 checks
for.  Security concerns doing this (that I have come up with, anyway, I   
    

am sure their are others) include:

1. It is important to hardcode the directory to be checked into the
source for script2.  This is so a user can't dump the form, and send any   
    

file to the script2 that they know exists, such as /etc/passwd.

2. The directory specified in script2 should have permissions set so that   
    

only the user that the server runs as (and executes scripts as) has
read/write access.

3. Do not place the directory anywhere in the document root of the server   
    

or allow its location to get out, or someone could try to figure out what   
    

is in the directory currently and use them, or write there own files into   
    

it and use those.

4. Make sure no other programs (web or otherwise) writes files to that
directory.

5. Use cron to clean out the directory for files older than a couple of   
    

hours (for those who bring up form1, but don't submit it).

I know this sounds extreme, but since you posted your question here, I am   
    

assuming that security is a major concern.  I'm *NOT* a security expert   
    

by any means, just a simple web guy, and there may be aspects of the
above that have huge security holes, but there it is for what it is
worth.

Other things to be aware of:

1. Netscape is implementing "livescript", allowing scripting inside the   
    

html document.  If you want to be proprietary :( then you can use one of   
    

the object methods that should be implemented soon (if it is not already)   
    

that reads what url that brought you to this page is.  You can then check   
    

that to see if they came from your previous form and if not, disable all   
    

form elements (another feature of livescript).  Only Netscape 2.0
understands live script tags, so this probably won't be a good idea
unless you know everyone who hits your page is using Netscape 2.0, or
livescript is somehow encorporated into HTML 3.0 aka HTML+ (the draft of   
    

which recently expired).

2. If you have usenet access (or web: www.dejanews.com), take a look at:
comp.infosystems.www.authoring.*

Anyhow, hope this helps. Good luck!

Rich
rich.schramm@nasd.com

 ----------
From:  owner-www-security[SMTP:owner-www-security@ns2.rutgers.edu]
Sent:  Saturday, December 02, 1995 12:10 PM
Cc:  www-security; www-security
Subject:  Re: cgi communication


Hello,

I would like to know if there is any method to pass information
between cgi scripts.  Heere it is what I want to do:

Script A asks for a password.  If the password is ok, script A issue a
HTML document that will contain a form.  If you press the `submit'
button on that form, script B will get called.

Both A and B are in the /cgi-bin directory.  I don't want to let
people call B directly.  Is there any way to communicate between
cgi scripts ?  I think A should pass the password to B, B check it
again, and so on.  Is this correct ?

However, I don't want to allow people to see the information passed
to B.  It seems that netscape displays the URI, including the password
fields, when using method="GET".  If I use method="POST" the URI is no
longer displayed, but netscape issue a warning saying that the
information I am submitting can be intercepted by a third party.

I also don't want people to call B directly and supply the appropriate
fields.  I want to make sure B is called only as a result of success
in A.

Do yuo think "hidden" form fields will do the job ?

Why does netscape issue that warning ?

Thanks,
Tudor

• Previous: Re: Internet Tunnel Question
• Next: Re: Internet Tunnel Question
• Index(es):
  • Index
  • Thread