Re: A rumination on finding secure scripts, versus rolling-your-own

I've spent the last two years building cgi scripts and have made many security mistakes along the way :)

I remember there being a CGI security FAQ, I think by Selena Sol, but can't remember.

How about working out criteria for rating a script's security level, and then create a 'Perl Monks security Meditation' for the overall security.

Things to look at would be whether they are safe from:

manipulation of Query String and POST data (Level 1: 'may you live in interesting times')
HTTP header spoofing - ie fake HTTP_REFERER, cookies etc (Level 2: 'may you come to the attention of those in power')
data read/write access by other users on server (Level 3: 'sleep soundly, for you have peace in your heart')
IP spoofing (Level 4: 'secure zen master')

Eg, if a script parses input data well, but relies on a valid HTTP_REFERER as a check, it would get a 'level one' rating. The infamous formmail can be used to relay e-mail if you fake/omit the HTTP_REFERER, but parses input data OK, so it would get a 'level one' rating.

I'm sure there are other criteria, but that's my .02

cLive ;-)

Comment on Re: A rumination on finding secure scripts, versus rolling-your-own

Replies are listed 'Best First'.
Re: Re: A rumination on finding secure scripts, versus rolling-your-own by davorg (Chancellor) on Mar 30, 2001 at 13:54 UTC
I'm sure the CGI Security FAQ can't be by Selena Sol. As I recall, his scripts were amongst the worst. -- <http://www.dave.org.uk> "Perl makes the fun jobs fun and the boring jobs bearable" - me	[reply]
Re: Re: Re: A rumination on finding secure scripts, versus rolling-your-own by cLive ;-) (Prior) on Mar 30, 2001 at 16:36 UTC
Fair enough but, on looking, the FAQ was written by Lincoln Stein and is here but, in his defence, Lincoln does recommend this in the FAQ :) In his words... "More recently, Selena Sol has published an excellent article on the risks of installing pre-built CGI scripts, with much helpful advice on configuring and customizing these scripts to increase their security. "	[reply]
Re: Re: Re: Re: A rumination on finding secure scripts, versus rolling-your-own by davorg (Chancellor) on Mar 30, 2001 at 17:25 UTC
It's a well-written article, but with one major flaw. It discusses the problems of passing unchecked user data to shell commands, but doesn't mention taint mode which is there to prevent you doing just that. -- <http://www.dave.org.uk> "Perl makes the fun jobs fun and the boring jobs bearable" - me	[reply]
Re: Re: Re: A rumination on finding secure scripts, versus rolling-your-own by Xxaxx (Monk) on Mar 30, 2001 at 16:12 UTC
I agree. Because a couple good hearted but under-developed Perl programmers have made some rather insecure scripts available to the world we now have zillions of formmail.pl programs around the net. If PM does do anything about illustrating transmogrification of standard insecure scripts into better scripts (from the security point of view anyway) formmail.pl or other such ubiquitious scripts with known exploits could be good candidates as patients. This way it might be possible to see some of the secure scripts filter out into the world replacing the swiss-cheese versions. I admire the good heartedness of the guys that released these commonly used scripts. But I wouldn't want my website on a server hosting any of these. Claude	[reply]