[2098] in bugtraq
cgi-bin security
daemon@ATHENA.MIT.EDU (Paul Phillips)
Mon Aug 14 19:48:09 1995
Date: Mon, 14 Aug 1995 00:04:57 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Paul Phillips <paulp@CERF.NET>
X-To: bugtraq@fc.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
From: Lee Silverman <lee@NETSPACE.ORG>
> Given all the posts here lately about holes in cgi-bin scripts, has anyone
> come up with a good set of guidelines to tell programs what is and is not
> acceptable for putting in cgi-bin programs?
I've started something along these lines:
<URL:http://www.primus.com/staff/paulp/cgi-security/>
> For example, if someone gave you a cgi-bin script and asked you to tell
> them if it was going to cause any security holes, what would you look for?
> Paul, what methods have you been using to track all these bugs in freeware
> cgi-bin packages? (If you don't mind telling us...)
Basically I just track the user input through the script and see how it's
handled. Anything that invokes a shell or any other external program is
suspect and should be looked at carefully. If it's perl, run it with -T
and see if/where it complains about misuse of tainted data. If it's SUID
or runs as someone other than nobody, it deserves a fine-tooth comb.
--
Paul Phillips | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net> | have a graphical browser"
<URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on
<URL:pots://+1-619-220-0850/is/paul/there?> | their short-lived web site
