[502] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Chris Garrigues)
Fri Mar 3 20:23:26 1995
Date: Fri, 3 Mar 1995 13:33:47 -0600
To: Garrett Burke <gburke@dsg.cs.tcd.ie>,
"Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
From: cwg@DeepEddy.Com (Chris Garrigues)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 2:48 AM 3/3/95, Garrett Burke wrote:
> In message <95Mar2.113753+0900_met.63660-3+9@dxal18.cern.ch>you write:
> >See the UNIX=Haters guide for the best summary of UNIX related risks.
> >
> Are you saying that the problems with CGI scripts, are general UNIX
> problems, and thus can be tackled as such?
> > Phill H-B
I think Phill's point was that due to the extremely general nature of CGI
scripts, that any security issue related to general Unix scripting apply to
CGI scripts.
If a CGI script has an eval or backquote intowhich an arbitrary shell
command can be inserted, then the user can do anything as the www user. If
your system also has a security hole which allows a non-root user to modify
or break something, then you have a major risk from your CGI scripts.
A recommendation can certainly be made to run taintperl instead of real
perl, and to carefully vet all scripts *before* putting them on the server,
but if you really want an enumeration of security risks of CGI scripts, you
need to enumerate all security risks of any scripts. Since a script can
have any command it it, you then need to enumerate all security risks of
all commands.
Chris
Chris Garrigues cwg@DeepEddy.Com
My pgp public key is on my homepage: http://www.DeepEddy.Com/~cwg/
