|
|
Home : Advisories : Sanitizing User-Supplied Data in CGI Scripts
| Title: |
Sanitizing User-Supplied Data in CGI Scripts |
| Released by: |
CERT |
| Date: |
10th November 1997 |
| Printable version: |
Click here |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CERT* Advisory CA-97.25.CGI_metachar
Original issue date: Nov. 10, 1997
Last revised: February 13, 1998
Updated tech tip and remaoved Appendix A.
A complete revision history is at the end of this file.
Topic: Sanitizing User-Supplied Data in CGI Scripts
- -----------------------------------------------------------------------------
The CERT Coordination Center has received reports and seen mailing list
discussions of a problem with some CGI scripts, which allow an attacker to
execute arbitrary commands on a WWW server under the effective user-id of the
server process. The problem lies in how the scripts are written, NOT in the
scripting languages themselves.
The CERT/CC team urges you to check all CGI scripts that are available via the
World Wide Web services at your site and ensure that they sanitize
user-supplied data. We have written a tech tip on how to do this (see Section
III).
We will update the tech tip (rather than this advisory) if we receive
additional information.
- -----------------------------------------------------------------------------
I. Description
Some CGI scripts have a problem that allows an attacker to execute
arbitrary commands on a WWW server under the effective user-id of the
server process. The cause of the problem is not the CGI scripting
language (such as Perl and C). Rather, the problem lies in how an
individual writes his or her script. In many cases, the author of the
script has not sufficiently sanitized user-supplied input.
II. Impact
If user-supplied data is not sufficiently sanitized, local and remote
users may be able to execute arbitrary commands on the HTTP server with
the privileges of the httpd daemon. They may then be able to compromise
the HTTP server and under certain configurations gain privileged access.
III. Solution
We strongly encourage you to review all CGI scripts that are available
via WWW services at your site. You should ensure that these scripts
sufficiently sanitize user-supplied data.
We recommend carrying out this review on a regular basis and whenever new
scripts are made available.
For advice about what to look for and how to address the problem,
see our tech tip on meta-characters in CGI scripts, available from
http://ftp.cert.org/pub/tech_tips/cgi_metacharacters
Note that because this problem is of a general nature, the tech tip
demonstrates only the concept of the problem and its solution. The
programmer and/or system administrator must ensure that any solution
implemented is robust and does not break intended functionality.
If you believe that a script does not sufficiently sanitize
user-supplied data then we encourage you to disable the script and
consult the script author for a patch.
If the script author is unable to supply a patched version, sites with
sufficient expertise may wish to patch the script themselves, adapting
the material in our tech tip to meet whatever specification is required
(such as the appropriate RFC).
(NOTE: We cannot offer any further assistance on source code patching
than that given in the tech tip mentioned above.)
- -----------------------------------------------------------------------------
The CERT Coordination Center thanks Wietse Venema for some of the material
used in the cgi_metacharacters tech tip.
We thank Mark Mills, Andrew McNaughton, and Greg Bacon for their communication
with us about the content of the tech tip.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).
CERT/CC Contact Information
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
http://ftp.cert.org/pub/CERT_PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
http://ftp.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
Copyright 1997, 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
*CERT is registered in the U.S. Patent and Trademark Office.
- ---------------------------------------------------------------------------
This file: http://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
Feb. 13, 1998 Updated the tech tip and removed Appendix A.
Nov. 13, 1997 Minor editorial change.
Nov. 12, 1997 Updated the Appendix to fix coding error.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOBTAN1r9kb5qlZHQEQIhYwCdEKyoA2fEznwefaoJOFpB0y2OLgEAoIEy
EMZbgInO1QgrNCg7uyOLhfGY
=5nOt
-----END PGP SIGNATURE-----
|
