Policing user CGI scripts

Policing user CGI scripts
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Policing user CGI scripts Akop Pogosian 07-04-2004
Posted by Akop Pogosian on July 4, 2004, 5:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Does there exist a security tool that can be used to scan the user
home directories for presence of the versions of popular, freely
distributed CGI or .php scripts that have well known security
problems? Of course, if such tool could also look for the dangerous
code in general that would be even better.


-akop


Posted by all mail refused on July 4, 2004, 7:25 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>Does there exist a security tool that can be used to scan the user
>home directories for presence of the versions of popular, freely
>distributed CGI or .php scripts that have well known security
>problems? Of course, if such tool could also look for the dangerous
>code in general that would be even better.

You'd have to decide what you call a security problem -
have you got an AUP for these users ?

It's fairly easy to scan CGIs for lack of tainting and use
of the
system([^,]+)
exec([^,]+)
and
open("$foo|"), open("|$foo")
constructions.

I like to constrain code where possible so that it can't
have unwanted results. (Consider SubDomain, systrace etc)

For instance I like webservers to accept TCP traffic on just
2 ports (80, 22) and cannot originate any TCP traffic at all.
That prevents spam relaying and the like without needing
to know the properties of the CGIs.

--
Elvis Notargiacomo master AT barefaced DOT cheek
http://www.notatla.org.uk/goen/


Posted by on July 4, 2004, 10:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Sun, 4 Jul 2004 17:20:47 +0000 (UTC), Akop Pogosian

>Does there exist a security tool that can be used to scan the user
>home directories for presence of the versions of popular, freely
>distributed CGI or .php scripts that have well known security
>problems? Of course, if such tool could also look for the dangerous
>code in general that would be even better.
>
>
>-akop


While looking for known vulnerable cgi-scripts is a good idea, it's
not a complete solution. How do you handle poorly written scripts
created by users?

Best bet is to limit the environment and control what damage any
errant script can do. As another posted stated, proper firewall
controls are a good idea. Setting up the webserver to run cgi-scripts
as a safe user is vital. I know at least one provider that runs all
cgi-scripts under a single account which allows scripts to see other
users files (horrible idea).


-Chris



Similar ThreadsPosted
What will be the future of User-Authentification? March 31, 2005, 12:02 am
DCPP user password?! September 16, 2007, 1:37 pm
Any "etrust access control"-user out there ? August 23, 2004, 11:11 pm
My user accounts now have very limited rights October 18, 2005, 5:14 pm
User Friendly email Encryption April 4, 2006, 8:49 am
Mulitple (Batch) changes to Securid User Accounts April 26, 2004, 1:19 am
Nortin Internet Security, XP, Non-Admin user February 20, 2005, 7:46 pm
Spyware and Adware affect every internet user April 22, 2006, 10:46 am
Invitaion to The Trend Micro User Group June 20, 2006, 10:52 am
MySpace Shuts Down User Profiles Due To Worm Infection December 7, 2006, 1:43 pm

The site map in XML format XML site map

Contact Us | Privacy Policy