LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-24-2004, 03:17 PM   #1
macnut
LQ Newbie
 
Registered: Sep 2004
Posts: 18

Rep: Reputation: 0
Secure CGI Scripts?


I'd like to set up formmail and guestbook scripts on my personal Debian Linux server. But I've learned that CGI scripts can make a server more vulnerable to being hacked. How do I set these scripts, or any others I may want, up securely? Are certain scripts more secure than others, and if so, which ones are least vulnerable?

Thanks in advance for your replies.
 
Old 10-24-2004, 03:48 PM   #2
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
basically, you need to validate the hell out of all input strings before you use them.
people will try to break programs with buffer overflow exploits, and inject code into scripts.

for example, if you wrote a cgi script to get the number of days in a user specified month, an attacker might enter the month string as "6 ; rm -fr /"

then the cgi script would run the command

"days_in_month 6 ; rm -fr /"

which would run the programs "days_of_month_6" then delete every file on the hard disk which is writable.

so validate validate and validate !
 
Old 10-25-2004, 02:11 AM   #3
macnut
LQ Newbie
 
Registered: Sep 2004
Posts: 18

Original Poster
Rep: Reputation: 0
I don't really have the skill to write such scripts myself-I'd rather download and install an already written script, and configure it to run securely. Any suggestions on what scripts to look for and how to run them securely?
 
Old 10-25-2004, 08:35 AM   #4
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
run them securly by making sure the prmissions and access rights are set correctly.
also look into chroot jailing.

but the first defence is a secure script...
its going to be impossible to make an unsecure script run securely.

a secure script is the first line of defence.

as for where to get them.. i dont know.

but wherever possible use CGI scripts from trusted places, not just random partds of example code people post on forums.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux and CGI Scripts silvercloud Linux - Enterprise 0 08-23-2005 11:35 PM
Forking CGI scripts narc Linux - Software 0 06-07-2005 10:58 PM
Getting CGI scripts to work Cool_Hand_Luke Linux - Newbie 5 03-09-2005 05:33 PM
Apache cgi scripts! boyinfrance Linux - Newbie 2 06-22-2002 10:33 PM
cant run cgi scripts jmdey Linux - Networking 1 01-07-2002 07:42 AM


All times are GMT -5. The time now is 02:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration