Hello. I've written a little cgi and installed on a SuSE box. Apache was disabled. I restarted in, rename htdocs to htdocs_suse (yes, it's possible to change the htdocs dir from httpd.conf but I prefer the former procedure) and created my own htdocs dir. Then I did the same for cgi-bin dir (which contened test scripts, php included; and perhaps may be abused with the latest php xploit. Not checked for it), I mean, I cleaned cgi-bin at all and copy my cgi program there. I think machine is secure now, isn't it? (Original SuSE 6.4 with above described changes). Now I want to protect my CGI. Basically it only takes two strings: one which only contains numbers and other more generic (it can contain ";,|<>"... etc). I want to correctly (=secure) parse the variables before using it. Which would be the correct regexps? The next article: http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=4 points to several ideas. But I suppose it could miss some common checks... I prefer hearing from you. :-) Thx! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now I want to protect my CGI. Basically it only takes two strings: one which only contains numbers and other more generic (it can contain ";,|<>"... etc). I want to correctly (=secure) parse the variables
these chars interact with the shell, that's bad. so, don't use shell scripting for your CGI if you use perl or C, then avoid using - eval() - $() - `` Backticks - system() - popen() - open() - <> (perl file globbing) - glob() (perl) and everything else, that uses the shell. I hope, that I didn't missed something. :-) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
On Mon, 18 Dec 2000 14:13:45 +0100 (CET), you wrote:
Now I want to protect my CGI. Basically it only takes two strings: one which only contains numbers and other more generic (it can contain ";,|<>"... etc). I want to correctly (=secure) parse the variables
these chars interact with the shell, that's bad. so, don't use shell scripting for your CGI if you use perl or C, then avoid using - open() ..
Hi Thomas. I'm looking for a regexp for "filtering" (/ parsing) those "nasty" chars so you could trust an user-input given variable... well, not exactly trust, but at least avoiding shell escapes & other hacking tricks. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi On Mon, Dec 18, 2000 at 03:28:55PM +0100, RoMaN SoFt / LLFB!! wrote:
Hi Thomas. I'm looking for a regexp for "filtering" (/ parsing) those "nasty" chars so you could trust an user-input given variable... well, not exactly trust, but at least avoiding shell escapes & other hacking tricks. something like quotemeta()?
MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
On Mon, 18 Dec 2000 17:02:28 +0100, you wrote:
Hi
On Mon, Dec 18, 2000 at 03:28:55PM +0100, RoMaN SoFt / LLFB!! wrote:
Hi Thomas. I'm looking for a regexp for "filtering" (/ parsing) those "nasty" chars so you could trust an user-input given variable... well, not exactly trust, but at least avoiding shell escapes & other hacking tricks. something like quotemeta()?
Yeap :) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Mon, 18 Dec 2000, RoMaN SoFt / LLFB!! wrote:
On Mon, 18 Dec 2000 14:13:45 +0100 (CET), you wrote:
Now I want to protect my CGI. Basically it only takes two strings: one which only contains numbers and other more generic (it can contain ";,|<>"... etc). I want to correctly (=secure) parse the variables
these chars interact with the shell, that's bad. so, don't use shell scripting for your CGI if you use perl or C, then avoid using - open() ..
Hi Thomas. I'm looking for a regexp for "filtering" (/ parsing) those "nasty" chars so you could trust an user-input given variable... well, not exactly trust, but at least avoiding shell escapes & other hacking tricks.
Oh, I misunderstood your mail. I thougt the 2nd input _has_ to include the nasty chars. Well, it's wise to filter the 'good' chars and toss the rest. Example in Shell: CHECK=${1//[0-9a-zA-Z]/} if [ "$CHECK" = "" ]; then echo "OK!" else echo "KO!" exit -1 fi Otherwise the following chars ar known to be bad: | ; ` 0x00 0x20 & <
0x0A .oO( Hope it's all! ) For examples of cgi exploits look at http://www.cgisecurity.com/ . If the input is used with open() and alike take care of '../' and stuff. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
* RoMaN SoFt / LLFB!! wrote on Mon, Dec 18, 2000 at 13:39 +0100:
Now I want to protect my CGI. Basically it only takes two strings: one which only contains numbers and other more generic (it can contain ";,|<>"... etc). I want to correctly (=secure) parse the variables before using it.
Better use a positive list with allowed chars that a negative list with prohibited ones - if you forget a char, it's not unsecure (but maybe not working which is the better choice I think). Of course it's the best to make the regexps so conrecte as possible. If you except a time, use "\d\d:\d\d" and not more. Input validation is a complex problem, and depends heavily on your program IMHO. If you use perl, use always "-Tw" as command line switches. The taintmode is really great. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Alexander Reelsen -
RoMaN SoFt / LLFB!! -
Steffen Dettmer -
Thomas Biege