FirstSearch script security
Edward Wigg
e-wigg at evanston.lib.il.us
Wed Aug 14 12:37:55 EDT 1996
Madeleine Showalter <mshowalt at library.ci.austin.tx.us> wrote:
>I have been told that "hackers" can enter commands in a form/search engine
which can be
>transferred to your operating system. This can allow them to get to a
command line
>prompt in your system. So, I assume that "secure" means to prevent this by
changing
>your CGI script. That's all I know, I'm just a beginner in using CGI.
This is not wrong, but it is somewhat misleading.
Correctly written CGI programs are secure -- there is nothing inherent in a
form/search engine which gives hackers access. However, (and it is a big
however) there are many CGI scripts out there that ARE insecure -- phf comes
to mind. These do not properly parse form data; they do not filter
illegal/unwanted/dangerous characters correctly from requests. One of the
nasties is not stripping %0A string (hex for a newline) from commands that
are passed to the shell. This can allow a hacker to execute arbitrary
commands on your system (e.g. rm *, or cat /etc/passwd) which might cause
problems depending on file protections and the settings for the webuser
account. This is not the same as getting a command line, but it is a step
towards full access.
It is a good policy to disable all scripts that are not strictly necessary
for operation. You can also grep your access logs for the %0A string to see
if attackers are trying this particular hack.
Some of the above specifics are for unix, but the principles are cross platform.
Edward
--------------------------------------------------------------
Edward Wigg "Just another guy, you know?"
Evanston Public Library e-wigg at evanston.lib.il.us
Evanston, Illinois
More information about the Web4lib
mailing list