Skip to main content.
home | support | download

Back to List Archive

Re: Re: swish.cgi

From: Bill Moseley <moseley(at)not-real.hank.org>
Date: Mon Dec 03 2001 - 23:36:14 GMT
At 02:18 PM 12/03/01 -0800, David L Norris wrote:
>Most (recent) issues have been buffer overflows (CGIs, modules, etc
>exposing buffer probs in IIS itself) allowing "root" compromises;
>rootkits are popular payloads.
>
>Shell exploits aren't much of an issue.  The NT/DOS shells are really
>rather worthless.  My advice?  Allow only valid character ranges through
>to the shell.  The main issues in my mind are overwriting files with >
>and executing arbitrary commands with a |.  I don't believe there is a
>fool-proof method of escaping characters.

That's why I fork/exec in the CGI scripts.  That avoids the shell completely.

The advantage of using that method is that perl under windows can't use
that method ;)  I don't run anything under windows, so I don't know what's
safe and what's not.  Further, I've asked specifically on the CGI news
groups, Activestate list, and other places where people that should know
these things frequent, and have never received an answer.  Maybe I was
asking the wrong question.  It's common to only allow in known good
characters, but I've seen enough hacks that I'm not 100% sure that method
can't be broken.  Therefore, I don't feel comfortable providing a CGI
script where I'm not clear on the security issues.


>I have a seperate, well commented config file for my PHP script.  I also
>(try to) put procedural code into a seperate file to keep the interface
>code clean.  I require these files into the interface script.

That's the rub.  Seems common that people like a single file that does it
all to make installation easy.  Yet, that doesn't result in the cleanest
coding practices.

>> I'd love to see someone do PHP or Python or JSP examples, too.
>
>Examples of what in PHP?  Let me know and I'll have a look.

A web interface for swish -- there should be more options than perl.




Bill Moseley
mailto:moseley@hank.org
Received on Mon Dec 3 15:41:25 2001