[tpm] securing a CGI program from malicious user data

J. Bobby Lopez jbl at jbldata.com
Wed Feb 18 13:42:22 PST 2009

There were a couple of times when I considered doing something like this for
various reasons.  A few things to consider (if you haven't already).

   - Use the 'system()' function with arguments, instead of a full
   command-line string using back-ticks.  This will reduce or eliminate the
   need to strip special characters that could possibly be used to execute any
   - Have your script do an md5 on the command and compare it to a protected
   list somewhere, or to an array of md5 strings kept within your script.
   - Chroot the commands that you want to execute.  This means chrooting
   "perl" itself, along with it's libraries.
   - Have perl execute as a non-root account (you wouldn't believe how much
   this is overlooked, and so simple to fix)
   - Why use a text field?  Use a select/dropdown, so you know exactly what
   the user could possibly execute, and make sure you submit it via POST.  Use
   - Be strict with Apache, do not "FollowSymLinks" unless it is necessary.
   Don't put data in the CGI directory.  Don't make directories listable if
   there isn't an 'index.html'

There are probably a lot of other things you can do, depending on how strict
you want to be.  If you have the time, I say go whole-hog on it for the
experience, and share the details with us :)

On Wed, Feb 18, 2009 at 2:39 PM, Fulko Hew <fulko.hew at gmail.com> wrote:

> Problem:
> I'm providing a mechanism so that a system can be configured
> to 'run' executables on remote machines based on configuration
> information submitted in a CGI text field.
> Obviously I don't want to allow the user to trash the system.
> I'm going to:
> 1/ restrict the system to allow it to only execute 'trusted' apps
>    located in a 'known' directory. (can I make a chroot jail in Perl/CGI?)
> 2/ strip characters from the invocation string that could be used to hurt
> me:
>     semicolon - because another malicious command could follow
>     backtic   - because that could run another program
>     ( )       - because that could invoke a sub-shell to run ...
>     |         - because that could invoke ...
>     &         - because other stuff might follow
>     >         - because that could clobber an important file
>     any \0xxx string that represents any of the above 'nasty' characters.
> Tainging only talks about the concept, not what to de-taint.
> - Are there any other things I should check for/prevent?
> - Is there any standard/common resource on the web that you
>   know of that talks about this (that I haven't found yet)?
> Fulko
> _______________________________________________
> toronto-pm mailing list
> toronto-pm at pm.org
> http://mail.pm.org/mailman/listinfo/toronto-pm

J. Bobby Lopez
Web: http://jbldata.com/
Twitter: http://www.twitter.com/jbobbylopez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20090218/b8563f07/attachment.html>

More information about the toronto-pm mailing list