Professional Documents
Culture Documents
Please Note:
We have noticed several reports to us and to public mailing lists about CGI
scripts that allow an attacker to execute arbitrary commands on a WWW
server under the effective user-id of the server process.
In many of these cases, the author of the script has not sufficiently
sanitized user-supplied input.
2. Definition of "Sanitize"
A script writer who is aware of the need to sanitize data may decide to
remove a number of well-known meta-characters from the script and replace
them with underscores. A common but inadvisable way to do this is by
removing particular characters.
#!/usr/local/bin/perl
$user_data = $ENV{'QUERY_STRING'}; # Get the data
print "$user_data\n";
$user_data =~ s/[\/ ;\[\]\<\>&\t]/_/g; # Remove bad characters. WRONG!
print "$user_data\n";
exit(0);
In C:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int
main(int argc, char *argv[], char **envp)
{
static char bad_chars[] = "/ ;[]<>&\t";
4. A Recommended Approach
char *percent_x(...)
{
{...}
static char ok_chars[] = "1234567890!@%-_=+:,./\
abcdefghijklmnopqrstuvwxyz\
ABCDEFGHIJKLMNOPQRSTUVWXYZ";
{...}
{...}
The benefit of this approach is that the programmer is certain that
whatever string is returned, it contains only characters now under his or her
control.
This approach contrasts with the approach we discussed earlier. In the earlier
approach, which we do not recommend, the programmer must ensure that he or she
traps all characters that are unacceptable, leaving no margin for error. In
the recommended approach, the programmer errs on the side of caution and only
needs to ensure that acceptable characters are identified; thus the programmer
can be less concerned about what characters an attacker may try in an attempt
to bypass security checks.
#!/usr/local/bin/perl
$_ = $user_data = $ENV{'QUERY_STRING'}; # Get the data
print "$user_data\n";
$OK_CHARS='-a-zA-Z0-9_.@'; # A restrictive list, which
# should be modified to match
# an appropriate RFC, for example.
s/[^$OK_CHARS]/_/go;
$user_data = $_;
print "$user_data\n";
exit(0);
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int
main(int argc, char *argv[], char **envp)
{
static char ok_chars[] = "abcdefghijklmnopqrstuvwxyz\
ABCDEFGHIJKLMNOPQRSTUVWXYZ\
1234567890_-.@";
user_data = getenv("QUERY_STRING");
printf("%s\n", user_data);
for (cp = user_data; *(cp += strspn(cp, ok_chars)); /* */)
*cp = '_';
printf("%s\n", user_data);
exit(0);
}
Some questions that we have received from sites indicate the mistaken belief
that this sanitization technique only needs to be applied to user data that
is passed to the environment in which the application is executing. This
is not strictly true.
For instance, many Perl scripts accept arbitrary filenames from users.
While the script should obviously check the filename to ensure that it
represents a file that the user should have access to, the first step in
any filename processing should be sanitization (as discussed above). The
reason for this is that metacharacters (such as ">" and "|") have special
meaning in file oriented functions in Perl.
Another example is Perl scripts which call the eval function, using
user-supplied arguments. A call to eval essentially represents the
execution of a mini-program within the Perl script being executed.
Programmers are encouraged to ensure that control is maintained over the
content of the user-supplied data with the intent of preventing the user
executing uncontrolled instructions within that environment.
5. Recommendation
We strongly encourage you to review all CGI scripts available via your web
server to ensure that any user-supplied data is sanitized using the approach
described in Section 4, adapting the example to meet whatever specification
you are using (such as the appropriate RFC).
6. Additional Tips
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
Please note that the CERT/CC and AUSCERT do not endorse the URL that
appears above. If you have any problem with the sites, please contact
the site administrator.
Wall, et al, discusses techniques and resources that can be used for
handling user-supplied data within Perl in this book:
_Programming Perl_, Larry Wall, Tom Christiansen and Randall
L. Schwartz, 2nd edition, O'Reilly and Associates, 1996.
Another resource that sites can consider is the CGI.pm module. Details
about this module are available from:
http://www.genome.wi.mit.edu/ftp/pub/software/WWW/cgi_docs.html
This module provides mechanisms for creating forms and other web-based
applications. Be aware, however, that it does not absolve the programmer
from the safe-coding responsibilities discussed above.
iQCVAwUBNOR/DHVP+x0t4w7BAQGtSQQAznnqbO80fvDgD4eIwug5h4mzKXn7vM0f
bbw7f4TyECsTH7OKqT0KLs4L+QDfYxYNwUz6NROriz13+ZMaankU7iXpcI1evvz+
oELq0tFe3NZcVSNf025RHJOd4eFm1xw61no+ebRsJ2cauxO8aA2xdCGAIoUoyUMN
da+uD0bb9WY=
=pIVH
-----END PGP SIGNATURE-----