Once upon a time, Fulko Hew <fulko....@gmail.com> said:
> that can be executed to determine whether an apache/cgi 'environment'
> can be attacked?  or do each of my CGI (perl) apps need checking...
> 
> It seems to me to be an apache/cgi environment issue, and not
> a CGI app issue.
You can't really "test" for it, because it will be code-specific (and
call-path specific, since most CGIs do different things depending on how
you call them).  It is specifically a CGI app issue, because it depends
on what the CGI code does with the environment it is given and how the
code actually works.  It isn't an Apache issue; passing certain client
data in the environment is how CGI is defined to work.

For example, lots of CGI authors don't know the difference between:

    open (my $foo, '|mail -s subject al...@example.com');

and

    open (my $foo, "|-", qw(mail -s subject al...@example.com));

There is a big difference in how perl handles those; the first calls out
to the shell to interpret the arguments, while the second does not.  The
first is the "easier" way, so is the most-used way.  Code with the first
type of call would be vulnerable to a bad version of bash, while the
second would not.

If a perl script is run in "taint" mode (which is highly recommended for
things like CGIs but not commonly used), the incoming environment
variables are tainted and you can't execute anything without resetting
the environment, which (in most cases) would clear any "bad" variables.

-- 
Chris Adams <li...@cmadams.net>
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reply via email to