Re: Problems with CGI-programming

To: Alexey "A." Shelkovich <ashelk@ecld.belpak.minsk.by>, www-security@ns2.rutgers.edu
Subject: Re: Problems with CGI-programming
From: Antonio Vasconcelos <vasco@bvl.pt>
Date: Thu, 20 Aug 92 01:44:19 +0100 (WET)
In-Reply-To: <Pine.LNX.3.91.960605172927.1339A-100000@ecld.belpak.minsk.by>
Priority: Normal
References: Conversation <Pine.LNX.3.91.960605172927.1339A-100000@ecld.belpak.minsk.by> with last message <Pine.LNX.3.91.960605172927.1339A-100000@ecld.belpak.minsk.by>
Reply-To: vasco@bvl.pt

In reply to Alexey A. Shelkovich about Problems with 
CGI-programming

> Would somebody list problems, wich are connected with CGI
> scripts, the bugs they have, how to make CGI script secure
> using Perl interpretive language.

The problem, as allways, is that when running a CGI script your 
server is reacting to some outsider action. It's a fact that the 
number of bugs increase with the complexity of a program, so CGI 
scripts that do a lot of things, access many files and specially 
call other programs are a real danger in any server.

Interpreted languages are only a danger if you have to execute the 
interperter and pass the script as a parameter. As perl can accept 
a script from stdin if the interperter is in /cgi-bin it's trivial 
to make it execute anything that the user want. And if you are 
running the server as root, you can kiss your disk goodbye...

The guidelines I use are:

	Make a script do only and only one thing. If that thing
	must be done as root, then DON'T do it at all.

	Don't call any external program, specially any shell.
	Take care with things like $D=`/usr/bin/date`, the
	backticks call sh.
	And never, but never, call any external program with
	parameters read from the user or from hidden fields
	in your html FORM.

For eg. if you have a form with something that a costumer must 
fill up and you want to send the result by mail to someone, don't 
call mail ou sendmail from your script, just save the info in a 
file in some dir and have a deamon (or a cron started program) to 
check that dir from time to time. Even then, don't let this 
"post-office" deamon read any mail address from the file.

Just my 2 cents...


--
|Antonio Vasconcelos @ The Lisbon $tock Exchange            |
|-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --|
|vasco@bvl.pt, postmaster@bvl.pt, webmaster@bvl.pt          |
|http://www.bvl.pt:8080/~vasco   [vasco@individual.eunet.pt]|
|-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --|
|TEL: +351-1-790-9904             Bolsa de Valores de Lisboa|
|FAX: +351-1-795-2026             R. Soeiro Pereira Gomes   |
|http://www.bvl.pt/               1600 LISBOA, PORTUGAL     |
|-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --|
|  All opinions are my own, my employer thinks I'm working  |
 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

References:

Problems with CGI-programming

From: "Alexey A. Shelkovich" <ashelk@ecld.belpak.minsk.by>

Previous: Re: No, Let's not organize duscussion about CGI-programming for WWW
Next: PointCast
Index(es):
- Index
- Thread