CGI Attacks

Demo programs

Most HTTP servers come with a demo directory of CGI programs. Delete them or move them to another location. There have been many vulnerabilities in some of these scripts that allow anyone to execute any command on your server. This goes along with the philosophy of not allowing anything that you can't show is safe.

Input from forms

Never trust anything you receive from a form. Don't expect to receive the same fields you asks for. Don't expect to get bounded values for inputs. Check bounds and paths for anything.

File operation

If you have file input and output you should limit the characters allowable in the filenames. You might even want a hard coded list of files that are allowed to be read or written.

Avoid using world writable directories like /tmp or /var/tmp since there might be something waiting in there unless you're really carefull. Make sure you explicitly set your umask to something reasonable. Check out the cool_unix workshop for more information on umask.

Error checking

As with any program that accepts user input you should always check for errors in any operation where an error can occur. You program should never assme anything is going to work and should be able to react reasonably to any error it encounters. This is just good programming.

Shell scripts

Shells scripts (sh, bash, csh, ksh, etc) are attractive since they're simple but very dangerous due to the ease of doing substitutions and such. Try to use something where you have more control such as perl or C.

More information

A good list of pages on safe CGI scripts are availalbe at http://www.go2net.com/people/paulp/cgi-security/