Securing CGI scripts

Forum Moderators: coopster & phranque

Message Too Old, No Replies

Securing CGI scripts

sugarkane

10:06 am on Feb 16, 2001 (gmt 0)

I'm trying to put together a checklist of ways of making CGI scripts as secure as they can be - more of a best practice guide rather than a language or command specific thing.

This is what I've come up with so far:

- Check that the referring URL is what it should be

- Validate that user input is sane eg an alpha numneric field shouldn't contain control characters

- Never blindly pass user input to an external program as an argument

- All writable files should be in a seperate directory so that permissions on your cgi-bin can be made secure

- Remove all backup files (eg foo.cgi~ ) from your script directory, as they will be served up as text giving a hacker plenty of food for thought.

I ran out of ideas at this point. Has anyone any more, or disagree with any of these?

han solo

7:22 pm on Feb 20, 2001 (gmt 0)

What is the default extension when a back up is created? I've decided this might be good research...:) and would like to see if some people indeed forgot to delete the back up.

Care to share? I'm still learning perl, or else I might actually know this one.

Cheers,

Han Solo

Or you could sticky mail me, if you don't want to post..after all, it wouldn't be good to start the revolution from one casual post, yes?

Air

12:01 am on Feb 21, 2001 (gmt 0)

It is fairly normal practice to strip out characters form input received from a form or elsewhere, the thinking being that potentially harmful characters are listed and removed. But it is far more secure to do the reverse, i.e. accept only characters expected from such input and discard the rest.

mivox

12:13 am on Feb 21, 2001 (gmt 0)

For feedback form/order form type scripts, I had one client who specifically excluded replies from "free email" accounts, so you had to enter a valid ISP/paid webhost email address into the form. The thinking being, most people would not want to risk their internet access or webhosting by entering screwy things into the form or placing prank orders....

Not really something that would fall under stander precautions or practices, but a good option for some applications.

Vittal Aithal

12:09 pm on Feb 21, 2001 (gmt 0)

Probably worthwhile reading:
[securityportal.com...]

vittal

sugarkane

12:33 pm on Feb 21, 2001 (gmt 0)

Hi Vittal, welcome to WmW

Nice link - plenty to chew on :)