Re: Guidelines for cgi-bin scripts

[cwe () Csli Stanford EDU (Christian Wettergren)]

| Lo and behold, Lee Silverman once said:
|
| > For example, if someone gave you a cgi-bin script and asked you to tell
| > them if it was going to cause any security holes, what would you look for?

I would also look to interaction with unknown - complex - programs.
This may sound too unspecific, but I would be skeptical about large
things like database engines, or untested things like a new fancy
"do-x-and-our-web-site-will-be-famous" thing. These are usually either
too large and complex to controll even if you are determined or
untested prototypes with lots of bugs in them.

I would also like to pin-point another category of suspicious programs
- viewers of any kind. These are almost never written with security in
mind, since the author is usually only interested in depicting the
data in as nice a way as possible. The input data is always considered
"friendly input". (This is of course different when we talk about
highly networked viewers like the web ones.)

(The newest versions of xv (3.10, I believe) actually executes
postscript files without the -SAFER switch. So by sending a postscript
file from an web-server but specifying it as a image/tiff or whatever,
you are actually able to do nasty things.)

Also, don't entirely discount the risk of "contamination" based on
more passive methods like being able to place a certain file in a
certain place that will trigger somthing later on based on the user's
actions separate from the Web thing. Like being able to put some
strange dot files somewhere, changing some defaults. Something under
.hotjava/execute-me-automatically:-))

/Christian