The Cgi and Ssi Threat
of 1
-
Upload
jeandelasagesse -
Category
Documents
-
view
217 -
download
0
Transcript of The Cgi and Ssi Threat
-
8/12/2019 The Cgi and Ssi Threat
1/1
The CGI and SSI Threat
Apache itself is very reliable and reasonably secure. The biggest threat to server security isthe code that you or your users write for the server to execute. Two sources of theseproblems are Common Gateway Interface (CGI) programs and Server Side Includes (SSI).One of the biggest threats to server security is badly written CGI programs. Intruders exploit
poor code by forcing buffer overflows or by passing shell commands through the program tothe system.The only way to avoid this and still have the benefit of CGI programs, which can be written inC, Perl, Python, and other programming languages, is to be very careful about the code thatyou make available on your system. Here are some basic preventative measures to keep inmind: Personally review all programs included in the cgibin directory.
Try to write programs that do not allow freeform user input.
Use dropdown menus instead of keyboard input. Limit what comes in to your system from the user.To make it easier to review all CGI scripts, keep them all in the ScriptAlias directory. Don'tallow
ExecCGI in any other directory unless you're positive no one can place a script there that youhave not personally reviewed. (The way ExecCGI and other server options are controlled iscovered in the next section.)Server Side Includes is also called Server Parsed HTML, and the files often have the .shtmlfile extension. These files are processed by the server before they are sent to the client.These files can include other files or execute code from script files. If user input is used todynamically modify the SSI file, it is vulnerable to the same type of attacks as CGI scripts.SSI commands are embedded inside HTML comments. Therefore, each SSI commandbegins with. The SSI commands are listed in Table 6.2. Table 6.2: Server Side Includes CommandsCommand Purpose#config Formats the display of file size and time.#echo Displays variables.#exec Executes a CGI script or a shell command.#flastmod Displays the date a document was last modified.#fsize Displays the size of a document.#include Inserts another file into the current document.The most secure way to operate a server is to disallow all SSI processing. This is the defaultunlessAll or Includes is specified by an Options directive in the httpd.conf file. A compromise settingis to allow SSI, but to disallow the #include and #exec commands, which are the greatestsecurity threat.
Use IncludesNOEXEC on the Options directive for this setting.
