[Previous] [Next] [Index]
[Thread]
BoS: CERT Advisory CA-96.11 - Interpreters in CGI bin Directories
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
CERT(sm) Advisory CA-96.11
May 29, 1996
Topic: Interpreters in CGI bin Directories
- -----------------------------------------------------------------------------
Many sites that maintain a Web server support CGI programs. Often these
programs are scripts that are run by general-purpose interpreters, such as
/bin/sh or PERL. If the interpreters are located in the CGI bin directory
along with the associated scripts, intruders can access the interpreters
directly and arrange to execute arbitrary commands on the Web server system.
This problem has been widely discussed in several forums. Unfortunately, some
sites have not corrected it.
The CERT Coordination Center recommends that you never put interpreters in a
Web server's CGI bin directory.
As we receive additional information relating to this advisory, we
will place it in
ftp://info.cert.org/pub/cert_advisories/CA-96.11.README
We encourage you to check our README files regularly for updates on
advisories that relate to your site.
- -----------------------------------------------------------------------------
I. Description
To execute CGI scripts, a Web server must be able to access the
interpreter used for that script. Early documentation for Netscape and
other servers recommended placing the interpreters in the CGI bin
directory to ensure that they were available to run the script.
All programs in the CGI bin directory can be executed with arbitrary
arguments, so it is important to carefully design the programs
to permit only the intended actions regardless of what arguments are
used. This is difficult enough in general, but is a special problem for
general-purpose interpreters since they are designed to execute
arbitrary programs based on their arguments. *All* programs in the
CGI bin directory must be evaluated carefully, even relatively
limited programs such as gnu-tar and find.
Note that the directory for CGI programs is typically called "cgi-bin"
but the server may be configured to use a different name.
II. Impact
If general-purpose interpreters are accessible in a Web server's CGI bin
directory, then a remote user can execute any command the interpreters
can execute on that server.
III. Solution
The solution to this problem is to ensure that the CGI bin directory
does not include any general-purpose interpreters, for example
+ PERL
+ Tcl
+ UNIX shells (sh, csh, ksh, etc.)
A variety of methods can be used to safely install such interpreters;
methods vary depending on the system and Web server involved.
On Unix systems, the location of the interpreter is given on the first
line of the script:
#! /path/to/interpreter
On other systems, such as NT, there is an association between filename
extensions and the applications used to run them. If your Web server
uses this association, you can give CGI scripts an appropriate suffix
(for example, ".pl" for PERL), which is registered to the appropriate
interpreter. This avoids the need to install the interpreter in the
CGI bin directory, thus avoiding the problem.
Check with your Web server vendor for specific information.
Netscape reports that the 2.0 versions of their FastTrack and Enterprise
Servers, (both the current Beta and upcoming final versions), do support
file interpreter associations.
Further reading:
Tom Christiansen has a Web page with details about this problem
and a script that can be used to test for it:
http://perl.com/perl/news/latro-announce.htm
Lincoln Stein's WWW Security FAQ includes a section on "Problems
with Specific Servers," which discusses this and related problems:
http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.htm
- ---------------------------------------------------------------------------
The CERT Coordination Center thanks Lincoln Stein, Tom Christiansen, and the
members of AUSCERT and DFN-CERT for their contributions to the information in
this advisory.
- ---------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).
We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
CERT Contact Information
- ------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMaxzTnVP+x0t4w7BAQETdwP/b33r0mLCZhHJDWeFFYGD7tSfBxgSn+lz
+9YoVJRCR/V54KGvsjN6Wya7rpIjgJRYhLp3B5C/hy9ApYX5ec44AKzYswgcW194
cHyj6bg6qZHEQMRk3R6xsXks19zsvEmN+N7xCJuR8gF1/XEUqY/fSB8xsaLNQ2Cl
ZegRkaV/WUo=
=LwbY
-----END PGP SIGNATURE-----
Follow-Ups: