[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Sanitizing User-Supplied Data in CGI Scripts

Title: Sanitizing User-Supplied Data in CGI Scripts
Released by: CERT
Date: 10th November 1997
Printable version: Click here

Hash: SHA1

CERT* Advisory CA-97.25.CGI_metachar

Original issue date: Nov. 10, 1997

Last revised: February 13, 1998

              Updated tech tip and remaoved Appendix A.

              A complete revision history is at the end of this file.

Topic: Sanitizing User-Supplied Data in CGI Scripts

- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports and seen mailing list

discussions of a problem with some CGI scripts, which allow an attacker to

execute arbitrary commands on a WWW server under the effective user-id of the

server process. The problem lies in how the scripts are written, NOT in the

scripting languages themselves.

The CERT/CC team urges you to check all CGI scripts that are available via the

World Wide Web services at your site and ensure that they sanitize

user-supplied data. We have written a tech tip on how to do this (see Section


We will update the tech tip (rather than this advisory) if we receive

additional information.

- -----------------------------------------------------------------------------

I.   Description

     Some CGI scripts have a problem that allows an attacker to execute

     arbitrary commands on a WWW server under the effective user-id of the

     server process. The cause of the problem is not the CGI scripting

     language (such as Perl and C). Rather, the problem lies in how an

     individual writes his or her script. In many cases, the author of the

     script has not sufficiently sanitized user-supplied input.

II.  Impact

     If user-supplied data is not sufficiently sanitized, local and remote

     users may be able to execute arbitrary commands on the HTTP server with

     the privileges of the httpd daemon. They may then be able to compromise

     the HTTP server and under certain configurations gain privileged access.

III. Solution

     We strongly encourage you to review all CGI scripts that are available

     via WWW services at your site. You should ensure that these scripts

     sufficiently sanitize user-supplied data.

     We recommend carrying out this review on a regular basis and whenever new

     scripts are made available.

     For advice about what to look for and how to address the problem,

     see our tech tip on meta-characters in CGI scripts, available from


     Note that because this problem is of a general nature, the tech tip

     demonstrates only the concept of the problem and its solution. The

     programmer and/or system administrator must ensure that any solution

     implemented is robust and does not break intended functionality.

     If you believe that a script does not sufficiently sanitize

     user-supplied data then we encourage you to disable the script and

     consult the script author for a patch.

     If the script author is unable to supply a patched version, sites with

     sufficient expertise may wish to patch the script themselves, adapting

     the material in our tech tip to meet whatever specification is required

     (such as the appropriate RFC).

     (NOTE: We cannot offer any further assistance on source code patching

     than that given in the tech tip mentioned above.)

- -----------------------------------------------------------------------------

The CERT Coordination Center thanks Wietse Venema for some of the material

used in the cgi_metacharacters tech tip.

We thank Mark Mills, Andrew McNaughton, and Greg Bacon for their communication

with us about the content of the tech tip.

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident Response

and Security Teams (see http://www.first.org/team-info/).

CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890


Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key


Getting security information

   CERT publications and other security information are available from



   CERT advisories and bulletins are also posted on the USENET newsgroup


   To be added to our mailing list for advisories and bulletins, send

   email to


   In the subject line, type

        SUBSCRIBE  your-email-address

- ---------------------------------------------------------------------------

Copyright 1997, 1998 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: http://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar


               click on "CERT Advisories"


Revision history

Feb. 13, 1998 Updated the tech tip and removed Appendix A.

Nov. 13, 1997 Minor editorial change.

Nov. 12, 1997 Updated the Appendix to fix coding error.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.