[504] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Phillip M. Hallam-Baker)
Fri Mar 3 21:42:19 1995
To: cwg@DeepEddy.Com (Chris Garrigues), www-security@ns2.rutgers.edu
cc: hallam@dxal18.cern.ch
In-reply-to: Your message of "Fri, 03 Mar 1995 13:33:47 CST."
<v01510102ab7d1e027429@[128.62.14.16]>
Date: Fri, 03 Mar 1995 21:52:12 +0900
From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
Errors-To: owner-www-security@ns2.rutgers.edu
>If a CGI script has an eval or backquote intowhich an arbitrary shell
>command can be inserted, then the user can do anything as the www user. If
>your system also has a security hole which allows a non-root user to modify
>or break something, then you have a major risk from your CGI scripts.
Its a question of having to be very carefull indeed. The cshell is much weaker
in terms of facilities than a full programming language. The grammar is not
checked before execution. The program can be self modifying, self referencing
and generally bizare.
The archetypal CGI blunder is :
fooprog -options QUERY_STRING
The hacker then obliges with a QUERY_STRING containing the sequence "; rm -f *"
giving
fooprog -options ; rm -f *
Don't bet on writing down a complete list of all possible screw ups of this
type. I've seen several people come unstuck with incomplete regular expression
filters.
On top of this you have n-fold incompatibility with UNIX because there is no
standard shell. even csh varies from machine to machine. The problem with shell
programs is that they start off as small hacks and grow like topsy. You have
none of the high level programming abstractions of C.
As for VMS being "as bad". Well I certainly would not recommend anyone wrote a
long program in DCL. Although its resonably standardised (later versions have
added features) it is several orders more tedious to use than BASIC.
And I don't understand the criticism of my voicing my opinion of UNIX. People
ask about security for the Web and I tell them that in my opinion one should not
connect up programs written in a 1968 scripting language with a very poor
reputation to execute with parameters supplied by the network. People object
that I should not state that I believe the system to be insecure because other
systems may possibly also be insecure. I base my opinion on the fact that I have
seen some very clever people come very unstuck with CGI scripts that
accidentally allowed execuiton of arbutary commands under UNIX but I haven't
known people clobber themselves with VMS.
I supose awk and perl might be serivicable possibly, maybee, perhaps. But I
wouldn't feel at all happy running a nuclear power station with them.
Phill.
