[tpm] securing a CGI program from malicious user data
J. Bobby Lopez
jbl at jbldata.com
Wed Feb 18 13:42:22 PST 2009
There were a couple of times when I considered doing something like this for
various reasons. A few things to consider (if you haven't already).
- Use the 'system()' function with arguments, instead of a full
command-line string using back-ticks. This will reduce or eliminate the
need to strip special characters that could possibly be used to execute any
- Have your script do an md5 on the command and compare it to a protected
list somewhere, or to an array of md5 strings kept within your script.
- Chroot the commands that you want to execute. This means chrooting
"perl" itself, along with it's libraries.
- Have perl execute as a non-root account (you wouldn't believe how much
this is overlooked, and so simple to fix)
- Why use a text field? Use a select/dropdown, so you know exactly what
the user could possibly execute, and make sure you submit it via POST. Use
- Be strict with Apache, do not "FollowSymLinks" unless it is necessary.
Don't put data in the CGI directory. Don't make directories listable if
there isn't an 'index.html'
There are probably a lot of other things you can do, depending on how strict
you want to be. If you have the time, I say go whole-hog on it for the
experience, and share the details with us :)
On Wed, Feb 18, 2009 at 2:39 PM, Fulko Hew <fulko.hew at gmail.com> wrote:
> I'm providing a mechanism so that a system can be configured
> to 'run' executables on remote machines based on configuration
> information submitted in a CGI text field.
> Obviously I don't want to allow the user to trash the system.
> I'm going to:
> 1/ restrict the system to allow it to only execute 'trusted' apps
> located in a 'known' directory. (can I make a chroot jail in Perl/CGI?)
> 2/ strip characters from the invocation string that could be used to hurt
> semicolon - because another malicious command could follow
> backtic - because that could run another program
> ( ) - because that could invoke a sub-shell to run ...
> | - because that could invoke ...
> & - because other stuff might follow
> > - because that could clobber an important file
> any \0xxx string that represents any of the above 'nasty' characters.
> Tainging only talks about the concept, not what to de-taint.
> - Are there any other things I should check for/prevent?
> - Is there any standard/common resource on the web that you
> know of that talks about this (that I haven't found yet)?
> toronto-pm mailing list
> toronto-pm at pm.org
J. Bobby Lopez
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the toronto-pm