FirstSearch script security

[Edward Wigg]

Madeleine Showalter <mshowalt at library.ci.austin.tx.us> wrote:
>I have been told that "hackers" can enter commands in a form/search engine
which can be 
>transferred to your operating system.  This can allow them to get to a
command line 
>prompt in your system.  So, I assume that "secure" means to prevent this by
changing 
>your CGI script.  That's all I know, I'm just a beginner in using CGI.

This is not wrong, but it is somewhat misleading. 

Correctly written CGI programs are secure -- there is nothing inherent in a
form/search engine which gives hackers access. However, (and it is a big
however) there are many CGI scripts out there that ARE insecure -- phf comes
to mind. These do not properly parse form data; they do not filter
illegal/unwanted/dangerous characters correctly from requests. One of the
nasties is not stripping %0A string (hex for a newline) from commands that
are passed to the shell. This can allow a hacker to execute arbitrary
commands on your system (e.g. rm *, or cat /etc/passwd) which might cause
problems depending on file protections and the settings for the webuser
account. This is not the same as getting a command line, but it is a step
towards full access.

It is a good policy to disable all scripts that are not strictly necessary
for operation. You can also grep your access logs for the %0A string to see
if attackers are trying this particular hack.

Some of the above specifics are for unix, but the principles are cross platform.

Edward
--------------------------------------------------------------
Edward Wigg                      "Just another guy, you know?"
Evanston Public Library             e-wigg at evanston.lib.il.us
Evanston, Illinois