Solved

security question

Posted on 1998-02-20
5
147 Views
Last Modified: 2013-12-25
I have ever read an article that someone can execute the shell command from your cgi script if you do not create the cgi script correctly.

How to avoid this? I wrote my cgi script using c++ because I do not understand Perl. Anyone has any security tip for me?

0
Comment
Question by:v5
  • 2
  • 2
5 Comments
 
LVL 84

Expert Comment

by:ozo
ID: 1832027
If you create a script like
 system( getenv("QUERY_STRING") );
then someone can execute shell command from it.
You should be careful to avoid doing things like that.
0
 
LVL 32

Accepted Solution

by:
jhance earned 50 total points
ID: 1832028
Security in CGI-BIN programs is tough to ensure.  Go over your program section by section.  Ask yourself, "have I made any assumptions about what the script will receive from the user?"  Think about what will happen when something unexpected comes back from a user.  Too much data, too little data, numbers instead of strings, strings instead of numbers, control characters, punctuation characters, extra arguments, missing arguments.  In general, write a function to verify each piece of data received by your program before operating on it.  Set defaults in your program for each parameter that will be in effect if the data doesn't come back from the browser.

Also, if for some reason you think that your program must run as root, think about it some more.  Don't do it!  It's just too risky.  Find another way.
0
 

Author Comment

by:v5
ID: 1832029
ozo, I have a question. Here is my unsecure code (the name of the executable file is "test"). Using my browser, I typed
www.blablabla.com/cgi-bin/test?date
and nothing happened. Should it print out the date?

#include <iostream.h>
int main(void) {
 const char* a = system(getenv("QUERY_STRING"));
 cout << "Content-type: text/html\n\n";
 cout << "<html>";
 cout << a;
 cout << "</html>";
 return(0);
}  
0
 
LVL 84

Expert Comment

by:ozo
ID: 1832030
Probably not, since system returns an int, not a char*.
But
 cout << "Content-type: text/html\n\n";
 cout << "<html>" << flush;
 system(getenv("QUERY_STRING"));
 cout << "</html>";
should print the date.
(and www.blablabla.com/cgi-bin/test?rm* may do other nasty things,
whether or not it prints out anything, which is why you don't want to do this)


 
0
 

Author Comment

by:v5
ID: 1832031
Ozo, your answer is great too! I have your grade in my mind. It's BIG A++ !

0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Python 2.7 - French characters 6 81
Register AutoHotkey 12 75
Control Number of Log Files -Perl 7 74
Transform normalized CSV to line in powershell 7 39
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question