?
Solved

security question

Posted on 1998-02-20
5
Medium Priority
?
152 Views
Last Modified: 2013-12-25
I have ever read an article that someone can execute the shell command from your cgi script if you do not create the cgi script correctly.

How to avoid this? I wrote my cgi script using c++ because I do not understand Perl. Anyone has any security tip for me?

0
Comment
Question by:v5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 84

Expert Comment

by:ozo
ID: 1832027
If you create a script like
 system( getenv("QUERY_STRING") );
then someone can execute shell command from it.
You should be careful to avoid doing things like that.
0
 
LVL 32

Accepted Solution

by:
jhance earned 200 total points
ID: 1832028
Security in CGI-BIN programs is tough to ensure.  Go over your program section by section.  Ask yourself, "have I made any assumptions about what the script will receive from the user?"  Think about what will happen when something unexpected comes back from a user.  Too much data, too little data, numbers instead of strings, strings instead of numbers, control characters, punctuation characters, extra arguments, missing arguments.  In general, write a function to verify each piece of data received by your program before operating on it.  Set defaults in your program for each parameter that will be in effect if the data doesn't come back from the browser.

Also, if for some reason you think that your program must run as root, think about it some more.  Don't do it!  It's just too risky.  Find another way.
0
 

Author Comment

by:v5
ID: 1832029
ozo, I have a question. Here is my unsecure code (the name of the executable file is "test"). Using my browser, I typed
www.blablabla.com/cgi-bin/test?date
and nothing happened. Should it print out the date?

#include <iostream.h>
int main(void) {
 const char* a = system(getenv("QUERY_STRING"));
 cout << "Content-type: text/html\n\n";
 cout << "<html>";
 cout << a;
 cout << "</html>";
 return(0);
}  
0
 
LVL 84

Expert Comment

by:ozo
ID: 1832030
Probably not, since system returns an int, not a char*.
But
 cout << "Content-type: text/html\n\n";
 cout << "<html>" << flush;
 system(getenv("QUERY_STRING"));
 cout << "</html>";
should print the date.
(and www.blablabla.com/cgi-bin/test?rm* may do other nasty things,
whether or not it prints out anything, which is why you don't want to do this)


 
0
 

Author Comment

by:v5
ID: 1832031
Ozo, your answer is great too! I have your grade in my mind. It's BIG A++ !

0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you how to make a simple HTML bar chart with the usage of WhizBase, If you want more information about WhizBase please read my previous articles at http://www.experts-exchange.com/ARTH_5123186.html (http://www.experts-ex…
Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question