[1557] in WWW Security List Archive
IBM-ERS Alert: Vulnerability in NCSA/Apache CGI Sample Code
daemon@ATHENA.MIT.EDU (Lincoln Stein)
Tue Feb 27 08:31:01 1996
Date: Tue, 27 Feb 1996 11:22:48 +0100
From: Lincoln Stein <lstein@kaa.crbm.cnrs-mop.fr>
To: www-security@ns2.rutgers.edu
In-Reply-To: <199602261408.JAA10922@intrepid.somers.hqregion.ibm.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Many thanks to IBM and David Curry for discovering and posting this
important piece of news. I want to add my 2 cents to the discussion
by repeating this bit of oft-said and seldom-heeded advice:
- DON'T TRUST THAT YOU CAN AVOID SECURITY HOLES BY REMOVING
"BAD" CHARACTERS BEFORE PASSING USER PARAMETERS TO SHELLS.
EITHER:
A) DON'T USE SHELLS AT ALL (I.E. CALL EXEC() DIRECTLY TO
BYPASS THE SHELL)
B) CHECK USER INPUT CAREFULLY FOR "GOOD" PATTERNS AND REJECT
ANYTHING THAT DOESN'T MATCH EXACTLY.
More info can be found in the www security FAQ.
Lincoln
David A. Curry writes:
>
> --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
> ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
>
> ======= ============ ====== ======
> ======= ============== ======= =======
> === === ==== ====== ======
> === =========== ======= =======
> === =========== === ======= ===
> === === ==== === ===== ===
> ======= ============== ===== === =====
> ======= ============ ===== = =====
>
> EMERGENCY RESPONSE SERVICE
> SECURITY VULNERABILITY ALERT
>
> 26 February 1996 14:00 GMT Number: ERS-SVA-E01-1996:002.1
