security question

I have ever read an article that someone can execute the shell command from your cgi script if you do not create the cgi script correctly.

How to avoid this? I wrote my cgi script using c++ because I do not understand Perl. Anyone has any security tip for me?

v5Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ozoCommented:
If you create a script like
 system( getenv("QUERY_STRING") );
then someone can execute shell command from it.
You should be careful to avoid doing things like that.
0
jhanceCommented:
Security in CGI-BIN programs is tough to ensure.  Go over your program section by section.  Ask yourself, "have I made any assumptions about what the script will receive from the user?"  Think about what will happen when something unexpected comes back from a user.  Too much data, too little data, numbers instead of strings, strings instead of numbers, control characters, punctuation characters, extra arguments, missing arguments.  In general, write a function to verify each piece of data received by your program before operating on it.  Set defaults in your program for each parameter that will be in effect if the data doesn't come back from the browser.

Also, if for some reason you think that your program must run as root, think about it some more.  Don't do it!  It's just too risky.  Find another way.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
v5Author Commented:
ozo, I have a question. Here is my unsecure code (the name of the executable file is "test"). Using my browser, I typed
www.blablabla.com/cgi-bin/test?date
and nothing happened. Should it print out the date?

#include <iostream.h>
int main(void) {
 const char* a = system(getenv("QUERY_STRING"));
 cout << "Content-type: text/html\n\n";
 cout << "<html>";
 cout << a;
 cout << "</html>";
 return(0);
}  
0
ozoCommented:
Probably not, since system returns an int, not a char*.
But
 cout << "Content-type: text/html\n\n";
 cout << "<html>" << flush;
 system(getenv("QUERY_STRING"));
 cout << "</html>";
should print the date.
(and www.blablabla.com/cgi-bin/test?rm* may do other nasty things,
whether or not it prints out anything, which is why you don't want to do this)


 
0
v5Author Commented:
Ozo, your answer is great too! I have your grade in my mind. It's BIG A++ !

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.