COMMAND

    sanitizing user-supplied data in CGI scripts

SYSTEMS AFFECTED

    Systems running vulnerable CGI scripts

PROBLEM

    Following info  is based  on CERT  Advisory CA-97.25.   It  covers
    sanitizing  user-supplied  data  in  CGI  scripts topic.  Some CGI
    scripts  have  a  problem  that  allows  an  attacker  to  execute
    arbitrary commands on a WWW server under the effective user-id  of
    the server  process.   The cause  of the  problem is  not the  CGI
    scripting language (such as Perl and C). Rather, the problem  lies
    in how an individual writes his or her script. In many cases,  the
    author of the script has not sufficiently sanitized  user-supplied
    input.

    If user-supplied  data is  not sufficiently  sanitized, local  and
    remote users may be able to execute arbitrary commands on the HTTP
    server with the privileges of  the httpd daemon. They may  then be
    able   to   compromise   the   HTTP   server   and  under  certain
    configurations  gain  privileged  access.   Also  note  that  many
    exploits of  that kind  you may  find on  these pages  at Security
    Bugware. 

SOLUTION

    It is  strongly recommanded  to review  all CGI  scripts that  are
    available via WWW  services at your  site. You should  ensure that
    these scripts sufficiently sanitize user-supplied data.

    For advice about what to look for and how to address the  problem,
    see our tech tip on meta-characters in CGI scripts, available from

        ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters

    CERT may update this tech tip  in the future, so please check  the
    electronic version for the most current information.

    If  you  believe  that  a  script  does  not sufficiently sanitize
    user-supplied data then we encourage you to disable the script and
    consult the script author  for a patch.   If the script author  is
    unable  to  supply  a  patched  version,  sites  with   sufficient
    expertise may wish  to patch the  script themselves, adapting  the
    material  in  CERT's  tech  tip  to meet whatever specification is
    required (such as the appropriate RFC).

    Another resource  that sites  can consider  is the  CGI.pm module.
    Details about this module are available from:

        http://www.genome.wi.mit.edu/ftp/pub/software/WWW/cgi_docs.html

    This  module  provides  mechanisms  for  creating  forms and other
    web-based  applications.  Be  aware,  however,  that  it  does not
    absolve  the  programmer  from  the  safe-coding  responsibilities
    discussed above.