[Previous] [Next] [Index]
[Thread]
Re: Securing Web Server + CGIs
On Thu, 21 Mar 1996, Pierre-Yves Bonnetain wrote:
> Server includes are not essential. They allow you to run on-the-fly
> commands, scripts or whatever you like. You should be aware that allowing
> users to run UNIX commands on behalf of the server (as when a server include
> calls a UNIX command and outputs its result) may be _very_ dangerous.
> My advice is, if you want server includes, limit their use to tricks like
> flastmod, fsize and the like. Not to command execution, that's asking for
> trouble.
I'd rather not break open a debate on the usefulness of SSIs. Suffice it
to say that we use them extensively and allow our users to do the same.
One practical application of SSIs has given all 3600+ web authors of our
17,000 users on our system the option to have their own web access logs
that they maintain:
http://www.teleport.com/learn/webweave/cgi/ssilog.htm
We do NOT, however, allow execution of arbitrary CGI scripts by the users and
practice a policy of "review" for every CGI suggested to us (I'm amazed at
the security holes sometimes present in submissions). By the way, if your
still using an older version of NCSA, you may have users on your system
executing CGIs without you even knowing. Any user can generally add the
following to their .htaccess ACF (if you have per directory ACFs
activated) and mask any CGI as a normal web page. The logs will show the
"page" being accessed with NO indication that it is a CGI if cleverly
hidden by the user:
## Make all files ending with the suffix .cgi executable CGIs (detectable)
AddType application/x-httpd-cgi cgi
## Make the script named "index.htm" executable (undetectable in logs)
AddType application/x-httpd-cgi index.htm
At Teleport, we have hacked out the "cmd" option for "exec" so that SSIs
like <!--#exec cmd="ps -aux"--> are NOT allowed while <!--#exec
cgi="/cgi-bin/counter"-->, for example, is allowed. /cgi-bin/ is the only
directory of executable CGIs and one or two people check everything that
goes in it (We do have a few "trusted" users to whome we have give custom
CGI directories--against my will :) ).
Most CGI security tutorials suggest disabling the "exec" SSI entirely.
Although I strongly concur with this recommendation for those who would
rather not risk hacking their own server code, this kills the safer
<!--#exec cgi=""--> option. "Safer" applies ONLY if the following are
also in place:
o significant testing of the server hack to remove the exec "cmd" SSI
o /cgi-bin/ is the ONLY area on the multi-user server site from which CGI
scripts can be called
o one or two qualified people strictly review all CGI scripts installed
Although I have not written the Apache development group, if anyone out
there in "Apache land" can read this, I'd like to suggest a
"IncludesExecNoCMD" option for the Apache server conf files. It is
simply a matter of wrapping the exec execution line in a condition and
setting the flag either at HUP time or as a preprocessor conditional at
compile time. (This way we won't have to hack every new release of Apache).
Server-side includes can be a powerful way to give your users the
"dynamic" web pages they want. To do so securely means losing the "exec"
SSI altogether or hacking out "cmd." Active SSIs also increase the load
on the web serving machine, but this is an issue for another forum.
Corrections and suggestions are welcome. :)
Robert Muhlestein
Teleport Creative Services
CGI/Java Guy
cgi@teleport.com
References: