[1201] in WWW Security List Archive
Re: source code security
daemon@ATHENA.MIT.EDU (Peter Henning)
Sat Dec 2 07:02:15 1995
Date: Sat, 2 Dec 1995 11:11:36 +0200 (GMT+0200)
From: Peter Henning <wizard@electric.co.za>
To: www-security@ns2.rutgers.edu
In-Reply-To: <199512011833.AA08944@mordred.gatech.edu >
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 1 Dec 1995, Steve wrote:
> I'm curious to know if there is any way for anyone to look at the source code
> for cgi-scripts if the code lies in a /cgi-bin directory. Typically I try to
> develop in a directory "unknown" to the server, then move the binary into the
> appropriate location; is this unnecessary?
For those of us using Unix,
one nice trick is to take away all "r" permissions on your cgi binaries.
Most scripts just need world or group "x" permissions, and possibly owner
"w" permissions so that you can recompile them from a safer directory
elsewhere. That way, the scripts can run but even if they live somewhere
inside your document root (not a wise idea) I don't thing anyone can read
even the binaries (to feed into a disassembler).
> where you made the mistake of using, oh, popen() and attack your server.
>
I think popen(3) is very useful, provided one parses any parameters sent
to the command to strip out ; $ | etc...and of course, check for any
buffer overflows! ;-)
Ciao
____________________________________________
| Electric Ocean | http://electric.co.za/ |\
| 1 Court Road | Voice: +27 83 658 0292 | |
| Wynberg 7800 | Fax: +27 21 762 2747 | |
| South Africa |*infectious hypermedia!* | |
|__________________|_________________________| |
\____________________________________________\|
