[ SOURCE: http://www.secureroot.com/security/advisories/9640312605.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT* Advisory CA-97.25.CGI_metachar Original issue date: Nov. 10, 1997 Last revised: February 13, 1998 Updated tech tip and remaoved Appendix A. A complete revision history is at the end of this file. Topic: Sanitizing User-Supplied Data in CGI Scripts - ----------------------------------------------------------------------------- The CERT Coordination Center has received reports and seen mailing list discussions of a problem with some CGI scripts, which allow an attacker to execute arbitrary commands on a WWW server under the effective user-id of the server process. The problem lies in how the scripts are written, NOT in the scripting languages themselves. The CERT/CC team urges you to check all CGI scripts that are available via the World Wide Web services at your site and ensure that they sanitize user-supplied data. We have written a tech tip on how to do this (see Section III). We will update the tech tip (rather than this advisory) if we receive additional information. - ----------------------------------------------------------------------------- I. Description Some CGI scripts have a problem that allows an attacker to execute arbitrary commands on a WWW server under the effective user-id of the server process. The cause of the problem is not the CGI scripting language (such as Perl and C). Rather, the problem lies in how an individual writes his or her script. In many cases, the author of the script has not sufficiently sanitized user-supplied input. II. Impact If user-supplied data is not sufficiently sanitized, local and remote users may be able to execute arbitrary commands on the HTTP server with the privileges of the httpd daemon. They may then be able to compromise the HTTP server and under certain configurations gain privileged access. III. Solution We strongly encourage you to review all CGI scripts that are available via WWW services at your site. You should ensure that these scripts sufficiently sanitize user-supplied data. We recommend carrying out this review on a regular basis and whenever new scripts are made available. For advice about what to look for and how to address the problem, see our tech tip on meta-characters in CGI scripts, available from ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters Note that because this problem is of a general nature, the tech tip demonstrates only the concept of the problem and its solution. The programmer and/or system administrator must ensure that any solution implemented is robust and does not break intended functionality. If you believe that a script does not sufficiently sanitize user-supplied data then we encourage you to disable the script and consult the script author for a patch. If the script author is unable to supply a patched version, sites with sufficient expertise may wish to patch the script themselves, adapting the material in our tech tip to meet whatever specification is required (such as the appropriate RFC). (NOTE: We cannot offer any further assistance on source code patching than that given in the tech tip mentioned above.) - ----------------------------------------------------------------------------- The CERT Coordination Center thanks Wietse Venema for some of the material used in the cgi_metacharacters tech tip. We thank Mark Mills, Andrew McNaughton, and Greg Bacon for their communication with us about the content of the tech tip. - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - --------------------------------------------------------------------------- Copyright 1997, 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. *CERT is registered in the U.S. Patent and Trademark Office. - --------------------------------------------------------------------------- This file: ftp://ftp.cert.org/pub/cert_advisories/CA-97.25.CGI_metachar http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history Feb. 13, 1998 Updated the tech tip and removed Appendix A. Nov. 13, 1997 Minor editorial change. Nov. 12, 1997 Updated the Appendix to fix coding error. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBTAN1r9kb5qlZHQEQIhYwCdEKyoA2fEznwefaoJOFpB0y2OLgEAoIEy EMZbgInO1QgrNCg7uyOLhfGY =5nOt -----END PGP SIGNATURE-----