Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 155
  • Last Modified:

security question

I have ever read an article that someone can execute the shell command from your cgi script if you do not create the cgi script correctly.

How to avoid this? I wrote my cgi script using c++ because I do not understand Perl. Anyone has any security tip for me?

0
v5
Asked:
v5
  • 2
  • 2
1 Solution
 
ozoCommented:
If you create a script like
 system( getenv("QUERY_STRING") );
then someone can execute shell command from it.
You should be careful to avoid doing things like that.
0
 
jhanceCommented:
Security in CGI-BIN programs is tough to ensure.  Go over your program section by section.  Ask yourself, "have I made any assumptions about what the script will receive from the user?"  Think about what will happen when something unexpected comes back from a user.  Too much data, too little data, numbers instead of strings, strings instead of numbers, control characters, punctuation characters, extra arguments, missing arguments.  In general, write a function to verify each piece of data received by your program before operating on it.  Set defaults in your program for each parameter that will be in effect if the data doesn't come back from the browser.

Also, if for some reason you think that your program must run as root, think about it some more.  Don't do it!  It's just too risky.  Find another way.
0
 
v5Author Commented:
ozo, I have a question. Here is my unsecure code (the name of the executable file is "test"). Using my browser, I typed
www.blablabla.com/cgi-bin/test?date
and nothing happened. Should it print out the date?

#include <iostream.h>
int main(void) {
 const char* a = system(getenv("QUERY_STRING"));
 cout << "Content-type: text/html\n\n";
 cout << "<html>";
 cout << a;
 cout << "</html>";
 return(0);
}  
0
 
ozoCommented:
Probably not, since system returns an int, not a char*.
But
 cout << "Content-type: text/html\n\n";
 cout << "<html>" << flush;
 system(getenv("QUERY_STRING"));
 cout << "</html>";
should print the date.
(and www.blablabla.com/cgi-bin/test?rm* may do other nasty things,
whether or not it prints out anything, which is why you don't want to do this)


 
0
 
v5Author Commented:
Ozo, your answer is great too! I have your grade in my mind. It's BIG A++ !

0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now