Fending off CGI Risks with smart programming in VS .NET

Creator PDF417 in VS .NET Fending off CGI Risks with smart programming
Fending off CGI Risks with smart programming
Read PDF-417 2d Barcode In .NET
Using Barcode Control SDK for .NET Control to generate, create, read, scan barcode image in VS .NET applications.
According to SANS (wwwsansorg), CGI script-related security risks ranks second on their top ten Internet security issues list However, CGI is not inherently insecure; it is poorly written CGI scripts that are a major source of Web security holes Actually, the simplicity of the CGI specification makes it easy for many inexperienced programmers to write CGI scripts These inexperienced programmers, being unaware of the security aspects of internetworking, create applications or scripts that work, while also creating unintentional back doors and holes in the system The following sections discuss first the types of risks that CGI applications or scripts create, and then discuss solutions for these risks
Painting PDF-417 2d Barcode In .NET
Using Barcode generation for .NET Control to generate, create PDF-417 2d barcode image in VS .NET applications.
Note
Scanning PDF417 In VS .NET
Using Barcode decoder for Visual Studio .NET Control to read, scan read, scan image in .NET framework applications.
The terms CGI application and CGI scripts are used interchangeably
Create Barcode In Visual Studio .NET
Using Barcode drawer for .NET framework Control to generate, create barcode image in VS .NET applications.
Information leaks
Scanning Barcode In .NET Framework
Using Barcode scanner for .NET Control to read, scan read, scan image in VS .NET applications.
Many CGI scripts can be fooled by vandals to leak information about users or resources available on the Web server Such a leak helps vandals to break into a system The more information a vandal has about a system, the better the vandal is at breaking into the system For example, if this URL is used to display /doc/article1html page using the showpagecgi script:
PDF 417 Maker In C#
Using Barcode generator for Visual Studio .NET Control to generate, create PDF 417 image in .NET framework applications.
http://unsafe-sitecom/cgibin/showpagecgi pg=/doc/article1html
Making PDF417 In Visual Studio .NET
Using Barcode printer for ASP.NET Control to generate, create PDF417 image in ASP.NET applications.
a vandal might try something like:
Making PDF 417 In VB.NET
Using Barcode generation for .NET framework Control to generate, create PDF417 image in .NET applications.
http://unsafe-sitecom/cgi-bin/showpagecgi pg=/etc/passwd
Creating GTIN - 128 In VS .NET
Using Barcode generator for Visual Studio .NET Control to generate, create UCC-128 image in Visual Studio .NET applications.
which will display the /etc/passwd (user password file) for the entire system This only works if the showpagecgi author did not protect the script from such leaks
Bar Code Maker In Visual Studio .NET
Using Barcode printer for VS .NET Control to generate, create bar code image in VS .NET applications.
Part IV Securing Your Web Site
Encode UPC-A Supplement 5 In Visual Studio .NET
Using Barcode maker for Visual Studio .NET Control to generate, create UPC Symbol image in VS .NET applications.
Consumption of system resources
Leitcode Generation In VS .NET
Using Barcode generator for VS .NET Control to generate, create Leitcode image in .NET applications.
A poorly written CGI script can be used by a vandal to make a server consume system resources such that the server becomes virtually unresponsive For example, this URL allows a site visitor to view a list of classifieds advertisements in a Web site:
Print Bar Code In VB.NET
Using Barcode generation for .NET framework Control to generate, create barcode image in VS .NET applications.
http://unsafe-sitecom/cgi-bin/showlistpl start=1&stop=15
Draw Barcode In Visual C#
Using Barcode printer for Visual Studio .NET Control to generate, create barcode image in Visual Studio .NET applications.
The start=1 and stop=15 parameters are used to control the number of records displayed If the showlistpl script only relies on the supplied start and stop values, then a vandal can edit the URL and supply a larger number for the stop parameter to make showlistpl display a larger list then usual So what Well, a vandal can use this knowledge and overload the Web server with requests that take longer to process, which makes real users wait and possibly makes them move to a competitor s site
Draw Barcode In .NET Framework
Using Barcode generation for ASP.NET Control to generate, create barcode image in ASP.NET applications.
Spoofing of system commands via CGI scripts
Create UPC - 13 In Visual Basic .NET
Using Barcode encoder for Visual Studio .NET Control to generate, create UPC - 13 image in .NET framework applications.
In many cases, vandals have succeeded in tricking an HTML form-based mailer script to run a system command or to give out confidential system information For example, say that you have a Web form that users use to sign up for your services or to provide you with feedback Most sites with such a Web form send a thank-you note to the user via an e-mail A CGI script is used to process the form The script might be doing something similar to the following to send the e-mail:
EAN13 Recognizer In Visual Studio .NET
Using Barcode recognizer for .NET framework Control to read, scan read, scan image in VS .NET applications.
system( /bin/mail -s $subject $emailAddress < $thankYouMsg );
Print Code128 In .NET
Using Barcode creation for ASP.NET Control to generate, create USS Code 128 image in ASP.NET applications.
The system call runs the /bin/mail mail program and supplies it the value of variable $subject as the Subject: header, the value of variable $emailAddress as the e-mail address of the user, and redirects the contents of the file named by the $thankYouMsg variable This works and no one should normally know that your application uses such system calls However, vandals are always trying to break things, and so a vandal interested in breaking your Web site might look into everything that the vandal has access to and try entering irregular values for your Web form For example if a vandal enters vandal@emailaddr < /etc/passwd; as the e-mail address, the script will be fooled into sending the /etc/passwd file to the vandal-specified e-mail address!
Universal Product Code Version A Printer In .NET Framework
Using Barcode drawer for ASP.NET Control to generate, create UPC Symbol image in ASP.NET applications.
If you use system() function in your CGI script, you should use the -T option in your #!/path/to/perl line to enable Perl s taint-checking mode You should also set the PATH (environment variable) using set $ENV{PATH} = /path/to/ commands/you/call/via/system to increase security
EAN-13 Maker In Java
Using Barcode generation for Java Control to generate, create GTIN - 13 image in Java applications.
User input makes certain system calls unsafe
Certain system calls are unsafe to use in CGI script For example, in Perl (a widely used CGI programming language) such a call could be made using the system(), exec(), piped open(), and eval() functions Similarly, in C the popen() and system() functions are potential security hazards All of these functions/commands typically invoke a subshell (such as /bin/sh) to process the user command