Go4Expert - View Single Post - Installing CGI-Scripts

Lizapotter

Tips while using CGI:

1. Beware the eval statement

Languages like PERL and the Bourne shell provide an eval command which allow you to construct a string and have the interpreter execute that string. This can be very dangerous. Observe the following statement in the Bourne shell:

eval `echo $QUERY_STRING | awk 'BEGIN{RS="&"} {printf "QS_%s\n",$1}' `

This clever little snippet takes the query string, and convents it into a set of variable set commands. Unfortunately, this script can be attacked by sending it a query string which starts with a ;.

2. Do not trust the client to do anything

A well-behaved client will escape any characters which have special meaning to the Bourne shell in a query string and thus avoid problems with your script misinterpreting the characters. A mischevious client may use special characters to confuse your script and gain unauthorized access.

3. Be careful with popen and system.

If you use any data from the client to construct a command line for a call to popen() or system(), be sure to place backslashes before any characters that have special meaning to the Bourne shell before calling the function. This can be achieved easily with a short C function.

4. Turn off server-side includes

If your server is unfortunate enough to support server-side includes, turn them off for your script directories. The server-side includes can be abused by clients which prey on scripts which directly output things they have been sent.

Lizapotter Go4Expert Member
25Feb2009,11:59
	Tips while using CGI: 1. Beware the eval statement Languages like PERL and the Bourne shell provide an eval command which allow you to construct a string and have the interpreter execute that string. This can be very dangerous. Observe the following statement in the Bourne shell: eval `echo $QUERY_STRING \| awk 'BEGIN{RS="&"} {printf "QS_%s\n",$1}' ` This clever little snippet takes the query string, and convents it into a set of variable set commands. Unfortunately, this script can be attacked by sending it a query string which starts with a ;. 2. Do not trust the client to do anything A well-behaved client will escape any characters which have special meaning to the Bourne shell in a query string and thus avoid problems with your script misinterpreting the characters. A mischevious client may use special characters to confuse your script and gain unauthorized access. 3. Be careful with popen and system. If you use any data from the client to construct a command line for a call to popen() or system(), be sure to place backslashes before any characters that have special meaning to the Bourne shell before calling the function. This can be achieved easily with a short C function. 4. Turn off server-side includes If your server is unfortunate enough to support server-side includes, turn them off for your script directories. The server-side includes can be abused by clients which prey on scripts which directly output things they have been sent.