|
|
| Previous | Table of Contents | Next |
Until recently, most machines providing Internet security ran a limited and controlled set of servers. These each carried risks, but over time, their source code has been read and revised by numerous security experts, significantly lessening the dangers.Since the creation of the World Wide Web (WWW) and CGI programming, many servers now run CGIs that have received little or no scrutiny, each taking the role of a miniature server. These programs are often written without any recognition of the methods a cracker can utilize to compromise a system. This chapter examines a number of common mistakes and offers suggestions for the security-minded WWW administrator.
The Common Gateway Interface (CGI) was born at NCSA, home of the Mosaic WWW browser and the NCSA httpd WWW server. Its purpose is to provide a flexible, convenient mechanism for extending server function beyond the simple “get file and display” model built into http servers. It has succeeded quite well in that goal.
Note: Although technically “CGI” refers to the interface, in common parlance it is often used to refer to the CGI program itself. Unfortunately, it is also common to see “CGI script” used to refer to any CGI program, whether or not it is a script. This confusion has been compounded through the common Webserver terminology of “script directories” in which CGIs reside. This chapter uses “CGI program” and “CGI” interchangeably and avoids references to “CGI scripts” unless specifically discussing scripts (as opposed to compiled programs).
The idea behind CGI is that a WWW resource need not be a static page of text or any other kind of unchanging file. It can be a program that performs tasks and calculations on the server machine and outputs a dynamic document, possibly based on data supplied with the request via an HTML form. The full CGI specification should be examined before writing any programs. The address is http://hoohoo.ncsa.uiuc.edu/cgi/. HTML forms, the usual means for passing data to CGIs, must also be understood to use CGIs effectively. They are documented in the HTML 2.0 specification, RFC 1866: ftp://ds.internic.net/rfc/rfc1866.txt.
CGI is a language-independent interface, enabling the intrepid WWW programmer to generate dynamic documents in nearly any language. CGIs can be and have been written in any language that can access environment variables and produce output, although the most popular language is probably PERL, well loved for its extremely powerful string-handling capabilities. Most of the code examples in this chapter are in PERL, which is available for almost every platform in existence and has some features that make it very well suited for secure CGI programming.
Furthermore, a Unix system is assumed for those aspects of explanations and code examples that are platform specific; this is the most common platform for hosting WWW services. Web servers for other platforms are somewhat newer, and although some tout them as more secure, this is as yet unproven. It is true that some other operating systems are less complicated and therefore might be less prone to security problems, but they are probably also less capable of offering the full suite of Web capabilities.
Most of the principles discussed in this chapter apply equally well to any platform.
The usual victim of a powerful and flexible interface is system security, and CGI is no exception. It is so easy to build CGIs that programmers often dash them off as they might any other simple program, never considering that every CGI is an Internet server and carries the same dangers.
CGIs are often written to expect data in a particular format, but essentially arbitrary data of unlimited length can be sent to the program. This means that CGIs must be written robustly and be able to abort gracefully when presented with malicious or otherwise unexpected input.
General-use Internet servers such as sendmail and fingerd have been written with full cognizance of these dangers. The sources to these programs have been perused by the white and black hats alike in search of problems for years. Even so, security problems are not at all uncommon. In light of this, it is sheer foolishness to permit users to create CGI programs without carefully assessing the risks involved and acting to minimize them.
| Previous | Table of Contents | Next |