cgi-bin security

[paulp () CERF NET (Paul Phillips)]

From:    Lee Silverman <lee () NETSPACE ORG>

> Given all the posts here lately about holes in cgi-bin scripts, has anyone
> come up with a good set of guidelines to tell programs what is and is not
> acceptable for putting in cgi-bin programs?

I've started something along these lines:
<URL:http://www.primus.com/staff/paulp/cgi-security/>

> For example, if someone gave you a cgi-bin script and asked you to tell
> them if it was going to cause any security holes, what would you look for?
> Paul, what methods have you been using to track all these bugs in freeware
> cgi-bin packages?  (If you don't mind telling us...)

Basically I just track the user input through the script and see how it's
handled.  Anything that invokes a shell or any other external program is
suspect and should be looked at carefully.  If it's perl, run it with -T
and see if/where it complains about misuse of tainted data.  If it's SUID
or runs as someone other than nobody, it deserves a fine-tooth comb.

--
Paul Phillips                                 | "Click _here_ if you do not
<URL:mailto:paulp () cerf net>                   |  have a graphical browser"
<URL:http://www.primus.com/staff/paulp/>      |  -- Canter and Siegel, on
<URL:pots://+1-619-220-0850/is/paul/there?>   |  their short-lived web site