WebApp Sec mailing list archives
Re: htaccess with apache
From: Tim Greer <chatmaster () charter net>
Date: 04 Nov 2003 12:55:43 -0800
On Tue, 2003-11-04 at 12:41, Graham Lally wrote:
Tim Greer wrote:You'll want to filter lots after that, although the easiest way is to restrict the template name to valid characters, and remove everything else. The regexp on the page is: /^[\w\-\.]*$/ So if template doesn't match that, something's wrong.I also recommend making sure the file ends with a specific file extension, so only certain HTML or template (or text) files can be open: /^[\w\-\]*\.(html?|txt|tmpl)$/i (for example--and you likely don't need to capture those values, so use '?:' there)Taint mode (#!/usr/bin/perl -T) on the script is worth adding in here too... Without going on and on about cgi sec, but if $template is being passed in to the perl 'open' command unfiltered, then pipes and redirections can be provided, turning a read into an exec or a write, so any Perl CGI should specify -T to enforce the regexp check above.
Good point, I should have mentioned that. I personally only add Taint mode when testing--and I rarely do that with all the checks I do to check for specific characters, etc. I realize it seems like a risk to some people, but I don't feel I need to do it (I also realize how that sounds to some people. :-) However, I also don't just allow people to pass anything, which allows for me to not use it and be safe (but yes, I have to be more careful with my checks--but I figure I better be anyway and I'm fine with it and only allowing exactly (or the exact characters) I want or need to be passed (or not)). However, it's definitely great advice that I should have suggested myself.
/etc/passwd shouldn't be readable by the CGI server!Sure it should be! The default permissions (that are safe too) are 644 for this file. Are you thinking of shadow or master.passwd???Oop, yes, my bad, I take that bit completely back - never try and concentrate on too many things at once ;) Still, file permissions and server privileges should be high on the list of Things To Check, especially if open's being used.
Certainly. Having wrappers which allow for lower permissions and then deny the user's from viewing them is a plus. But, like we all agree, permissions (and ownership) are important to be as safe as possible in that regard. -- Tim Greer <chatmaster () charter net>
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)