[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Interpreters in CGI bin Directories

Title: Interpreters in CGI bin Directories
Released by: CERT
Date: 29th May 1996
Printable version: Click here

Hash: SHA1


CERT(*) Advisory CA-96.11

Original issue date: May 29, 1996

Last Revised: September 24, 1997

              Updated copyright statement

              A complete revision history is at the end of this file.

Topic: Interpreters in CGI bin Directories

- -----------------------------------------------------------------------------

Many sites that maintain a Web server support CGI programs. Often these

programs are scripts that are run by general-purpose interpreters, such as

/bin/sh or PERL. If the interpreters are located in the CGI bin directory

along with the associated scripts, intruders can access the interpreters

directly and arrange to execute arbitrary commands on the Web server system.

This problem has been widely discussed in several forums. Unfortunately, some

sites have not corrected it.

The CERT Coordination Center recommends that you never put interpreters in a

Web server's CGI bin directory.

We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     To execute CGI scripts, a Web server must be able to access the

     interpreter used for that script. Early documentation for Netscape and

     other servers recommended placing the interpreters in the CGI bin

     directory to ensure that they were available to run the script.

     All programs in the CGI bin directory can be executed with arbitrary

     arguments, so it is important to carefully design the programs

     to permit only the intended actions regardless of what arguments are

     used. This is difficult enough in general, but is a special problem for

     general-purpose interpreters since they are designed to execute

     arbitrary programs based on their arguments. *All* programs in the

     CGI bin directory must be evaluated carefully, even relatively

     limited programs such as gnu-tar and find.

     Note that the directory for CGI programs is typically called "cgi-bin"

     but the server may be configured to use a different name.

II.  Impact

     If general-purpose interpreters are accessible in a Web server's CGI bin

     directory, then a remote user can execute any command the interpreters

     can execute on that server.

III. Solution

     The solution to this problem is to ensure that the CGI bin directory

     does not include any general-purpose interpreters, for example

             + PERL

             + Tcl

             + UNIX shells (sh, csh, ksh, etc.)

     A variety of methods can be used to safely install such interpreters;

     methods vary depending on the system and Web server involved.

     On Unix systems, the location of the interpreter is given on the first

     line of the script:

        #! /path/to/interpreter

     On other systems, such as NT, there is an association between filename

     extensions and the applications used to run them. If your Web server

     uses this association, you can give CGI scripts an appropriate suffix

     (for example, ".pl" for PERL), which is registered to the appropriate

     interpreter. This avoids the need to install the interpreter in the

     CGI bin directory, thus avoiding the problem.

     Check with your Web server vendor for specific information.

     Netscape reports that the 2.0 versions of their FastTrack and Enterprise

     Servers, (both the current Beta and upcoming final versions), do support

     file interpreter associations.

     Further reading:

        Tom Christiansen has a Web page with details about this problem

        and a script that can be used to test for it:


         Lincoln Stein's WWW Security FAQ includes a section on "Problems

         with Specific Servers," which discusses this and related problems:


- ---------------------------------------------------------------------------

The CERT Coordination Center thanks Lincoln Stein, Tom Christiansen, and the

members of AUSCERT and DFN-CERT for their contributions to the information in

this advisory.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.

The CERT Coordination Center can support a shared DES key and PGP. Contact

the CERT staff for more information.

Location of CERT PGP key


CERT Contact Information

- ------------------------

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST

                (GMT-5)/EDT(GMT-4), and are on call for

                emergencies during other hours.

Fax      +1 412-268-6989

Postal address

        CERT Coordination Center

        Software Engineering Institute

        Carnegie Mellon University

        Pittsburgh PA 15213-3890


CERT publications, information about FIRST representatives, and other

security-related information are available for anonymous FTP from



CERT advisories and bulletins are also posted on the USENET newsgroup


To be added to our mailing list for CERT advisories and bulletins, send your

email address to


- ------------------------------------------------------------------------------

Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision history

Sep. 24, 1997  Updated copyright statement

Aug. 30, 1996  Removed references to CA-96.11.README.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.