|Do you know where your variables are?|
Perl, CGI, and Securityby Ovid (Cardinal)
|on Aug 13, 2000 at 09:37 UTC||Need Help??|
I'm a little concerned about this post as generally I would not trust anyone who would post what I am about to post.
As many of you know, I have been contemplating writing a free online "CGI with Perl" course. I anticipate that this will be an extremely long project and have been looking for fellow Perl freaks to assist, or at least to peer review my work. I intend for this to be a better resource than those currently available on the Web and my desire to use strict, -w, and CGI.pm are all part of this.
My biggest concern, however, is security. If everything else in someone's script falls to pieces, at least they can pick up those pieces if their script is secure. To this end, I would like to create "Security Checkpoints" throughout the course to alert students to potential pitfalls. A major problem with many online CGI courses and quite a few CGI books is that they warn about security pitfalls but do not bother to detail them. My concern: how can you know what a security hole is if you cannot exploit it?
That brings me to the heart of the problem. While I don't want to publish a hackers tutorials (and I'm not qualified to do so), I believe that those learning CGI need to see specific, concrete examples of security holes and how to exploit them. How can you protect against attacks you don't understand? What does it mean that some versions of Minivend allow a pipe character in certain text fields? What's the problem with printing a user's input directly back to a Web page? And here's a nasty one: did you know that some Unix-like operating systems use a caret '^' for redirection instead of a pipe? Do you always check for that when you untaint data?
I am not a security expert and I don't know the ins and outs of setuid or system calls. Therefore, while I understand the general concepts, I can't detail specifics terribly well. All of my CGI scripts involve very tight taint checking of variables that are used for database work. I don't do sysadmin work and my work CGI e-mails generally involves sending out canned e-mails that can be used as a resource to check out data. In short: I do nothing that is uncontrolled (that I'm aware of). What this means is that in many respects I am not the best person to be writing this course, but no one else is stepping up to the plate and there is a huge need for good information. Therefore, I need help.
I need monks who can provide me with specific, concrete examples of security issues and how they can be exploited. Either write them up and send them to me or send me links that may assist. I'll need OS specific information, problems with race conditions, server-side include vulnerabilities, etc. You can send them to firstname.lastname@example.org. I thought about simply having them posted to this site since I was planning on publishing them anyway, but I realize that many may be uncomfortable with that. If you would like credit for the vulnerability you send, please let me know.
It's difficult to trust anyone one the Web, so I understand that some may have concerns about this. If so, feel free to ignore this post. However, if you would like to support this endeavor, you may wish to read over some of my earlier posts to determine my "qualifications". Two particularly relevant ones are:
Thanks in advance!