[2514] in bugtraq
Re: CGI security: Escape newlines.
daemon@ATHENA.MIT.EDU (Dave Andersen)
Tue Feb 6 19:46:04 1996
Date: Mon, 5 Feb 1996 22:46:38 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Dave Andersen <angio@aros.net>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199602060250.UAA11818@marigold.eecs.nwu.edu> from "Jennifer
Myers" at Feb 5, 96 08:50:24 pm
Lo and behold, Jennifer Myers once said:
> There are a good set of security guidelines at:
> http://www.cerf.net/~paulp/cgi-security/safe-cgi.txt:
>
> That document recommends removing or escaping the following characters
> in user-supplied data before passing it to a shell:
>
> ;<>*|`&$!#()[]{}:'"/
>
> There is (at least) one character missing from this list: the new line
> character. I have never seen the new line character included in a list
> of metacharaters to filter.
>
> [lossy compression]
>
Suggested fix:
> Very simple. Add the character \n (the new line character) to the
> list of characters to REMOVE from user-supplied data before
> suppling it to a shell in a CGI program.
While there's no doubt that this fix works like a charm for dealing
with this particular hole, it seems to perpetuate one "goof" in the way
CGI scripts handle input data. There's a very good lesson to be learned
from the adage "deny everything not expressly permitted."
In this case, I submit that it's a BETTER solution to filter by:
tr/[^A-Za-z0-9\-\_\$\+\=\~\.\,]//;
in which case, you know _exactly_ what characters your program will be
processing and you don't have to worry about extraneous cases like
someone dreaming up some flaw in your script where an unexpected control
character will wreak havoc.
If you're really paranoid, preference it with something to detect
someone screwing around:
if (/;<>*|`&$!#()[]{}:'"/) {
¬ify_me("Someone tried to hack us from $ENV{"REMOTE_ADDR"}
($ENV{"REMOTE_HOST"})! Make a note of it.\n";
&bitch_at_user();
exit(0);
}
and afterwords, do the same "sanitizing" tr to make sure you didn't let
anything slip.
As an aside, much of this is documented quite well in Paul Phillips'
secure-cgi page which you mentioned above.
-Dave Andersen
--
angio@aros.net Complete virtual hosting and business-oriented
system administration Internet services. (WWW, FTP, email)
http://www.aros.net/ http://www.aros.net/about/virtual/
"There are only two industries that refer to thier customers as 'users'."
