Re: Securing Web Server + CGIs

• To: Pierre-Yves Bonnetain <pyb@silogic.fr>
• Subject: Re: Securing Web Server + CGIs
• From: "Robert S. Muhlestein" <robertm@teleport.com>
• Date: Thu, 21 Mar 1996 10:24:06 -0800 (PST)
• cc: watchman@molhub.mol.net.my, www-security@ns2.rutgers.edu
• In-Reply-To: <9603210932.AA01054@silogic.fr>

On Thu, 21 Mar 1996, Pierre-Yves Bonnetain wrote:

>    Server includes are not essential. They allow you to run on-the-fly
> commands, scripts or whatever you like. You should be aware that allowing
> users to run UNIX commands on behalf of the server (as when a server include
> calls a UNIX command and outputs its result) may be _very_ dangerous.
>    My advice is, if you want server includes, limit their use to tricks like
> flastmod, fsize and the like. Not to command execution, that's asking for 
> trouble.

I'd rather not break open a debate on the usefulness of SSIs.  Suffice it
to say that we use them extensively and allow our users to do the same. 
One practical application of SSIs has given all 3600+ web authors of our
17,000 users on our system the option to have their own web access logs
that they maintain:
 
 http://www.teleport.com/learn/webweave/cgi/ssilog.htm

We do NOT, however, allow execution of arbitrary CGI scripts by the users and
practice a policy of "review" for every CGI suggested to us (I'm amazed at
the security holes sometimes present in submissions). By the way, if your 
still using an older version of NCSA, you may have users on your system 
executing CGIs without you even knowing.  Any user can generally add the 
following to their .htaccess ACF (if you have per directory ACFs 
activated) and mask any CGI as a normal web page.  The logs will show the 
"page" being accessed with NO indication that it is a CGI if cleverly 
hidden by the user:

##  Make all files ending with the suffix .cgi executable CGIs (detectable)
AddType application/x-httpd-cgi cgi
##  Make the script named "index.htm" executable (undetectable in logs)
AddType application/x-httpd-cgi index.htm

At Teleport, we have hacked out the "cmd" option for "exec" so that SSIs
like <!--#exec cmd="ps -aux"--> are NOT allowed while <!--#exec
cgi="/cgi-bin/counter"-->, for example, is allowed.  /cgi-bin/ is the only
directory of executable CGIs and one or two people check everything that
goes in it (We do have a few "trusted" users to whome we have give custom
CGI directories--against my will :) ).  

Most CGI security tutorials suggest disabling the "exec" SSI entirely. 
Although I strongly concur with this recommendation for those who would
rather not risk hacking their own server code, this kills the safer
<!--#exec cgi=""--> option.  "Safer" applies ONLY if the following are
also in place: 

 o significant testing of the server hack to remove the exec "cmd" SSI

 o /cgi-bin/ is the ONLY area on the multi-user server site from which CGI
   scripts can be called

 o one or two qualified people strictly review all CGI scripts installed

Although I have not written the Apache development group, if anyone out 
there in "Apache land" can read this, I'd like to suggest a 
"IncludesExecNoCMD" option for the Apache server conf files.  It is 
simply a matter of wrapping the exec execution line in a condition and 
setting the flag either at HUP time or as a preprocessor conditional at 
compile time. (This way we won't have to hack every new release of Apache).

Server-side includes can be a powerful way to give your users the 
"dynamic" web pages they want.  To do so securely means losing the "exec" 
SSI altogether or hacking out "cmd." Active SSIs also increase the load 
on the web serving machine, but this is an issue for another forum.

Corrections and suggestions are welcome.  :)

Robert Muhlestein
Teleport Creative Services
CGI/Java Guy
cgi@teleport.com

• Re: Securing Web Server + CGIs
• From: pyb@silogic.fr (Pierre-Yves Bonnetain)

• Previous: Re: Thanks for the downloading help!
• Next: Re: Thanks for the downloading help!
• Index(es):
  • Index
  • Thread