TUCoPS :: Web :: Apps :: ca-9725.txt

Sanitizing User-Supplied Data in CGI Scripts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT* Advisory CA-97.25.CGI_metachar
Original issue date: Nov. 10, 1997
Last revised: February 13, 1998
              Updated tech tip and remaoved Appendix A.

              A complete revision history is at the end of this file.

Topic: Sanitizing User-Supplied Data in CGI Scripts
- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports and seen mailing list
discussions of a problem with some CGI scripts, which allow an attacker to
execute arbitrary commands on a WWW server under the effective user-id of the
server process. The problem lies in how the scripts are written, NOT in the
scripting languages themselves.

The CERT/CC team urges you to check all CGI scripts that are available via the
World Wide Web services at your site and ensure that they sanitize
user-supplied data. We have written a tech tip on how to do this (see Section
III).

We will update the tech tip (rather than this advisory) if we receive
additional information.

- -----------------------------------------------------------------------------

I.   Description

     Some CGI scripts have a problem that allows an attacker to execute
     arbitrary commands on a WWW server under the effective user-id of the
     server process. The cause of the problem is not the CGI scripting
     language (such as Perl and C). Rather, the problem lies in how an
     individual writes his or her script. In many cases, the author of the
     script has not sufficiently sanitized user-supplied input.

II.  Impact

     If user-supplied data is not sufficiently sanitized, local and remote
     users may be able to execute arbitrary commands on the HTTP server with
     the privileges of the httpd daemon. They may then be able to compromise
     the HTTP server and under certain configurations gain privileged access.


III. Solution

     We strongly encourage you to review all CGI scripts that are available
     via WWW services at your site. You should ensure that these scripts
     sufficiently sanitize user-supplied data.

     We recommend carrying out this review on a regular basis and whenever new
     scripts are made available.

     For advice about what to look for and how to address the problem,
     see our tech tip on meta-characters in CGI scripts, available from

        ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters

     Note that because this problem is of a general nature, the tech tip
     demonstrates only the concept of the problem and its solution. The
     programmer and/or system administrator must ensure that any solution
     implemented is robust and does not break intended functionality.

     If you believe that a script does not sufficiently sanitize
     user-supplied data then we encourage you to disable the script and
     consult the script author for a patch.

     If the script author is unable to supply a patched version, sites with
     sufficient expertise may wish to patch the script themselves, adapting
     the material in our tech tip to meet whatever specification is required
     (such as the appropriate RFC).

     (NOTE: We cannot offer any further assistance on source code patching
     than that given in the tech tip mentioned above.)


- -----------------------------------------------------------------------------

The CERT Coordination Center thanks Wietse Venema for some of the material
used in the cgi_metacharacters tech tip.

We thank Mark Mills, Andrew McNaughton, and Greg Bacon for their communication
with us about the content of the tech tip.

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- ----------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key
         ftp://ftp.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

   To be added to our mailing list for advisories and bulletins, send
   email to
        cert-advisory-request@cert.org
   In the subject line, type
        SUBSCRIBE  your-email-address

- ---------------------------------------------------------------------------

Copyright 1997, 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar
           http://www.cert.org
               click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Feb. 13, 1998 Updated the tech tip and removed Appendix A.
Nov. 13, 1997 Minor editorial change.
Nov. 12, 1997 Updated the Appendix to fix coding error.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOBTAN1r9kb5qlZHQEQIhYwCdEKyoA2fEznwefaoJOFpB0y2OLgEAoIEy
EMZbgInO1QgrNCg7uyOLhfGY
=5nOt
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH