System Security Considerations: WWW Server
Beware of vulerabilities in CGI scripts!
- Attacker may embed shell commands in string arguments
- Example:
-
-
CGI script contains
system("/usr/lib/sendmail -t $USER < input_file")
-
-
Malicious client submits form with
USER = " foo@bar.com ; rm -rf / "
- Best Defense: Don't run CGI scripts
-
-
or closely inspect them (see refs below)
for more information....
Writing Secure CGI Scripts
Using "cgiwrap", from UMR