Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Famous last words: "surely this CGI script is safe"

1) You accept a string, from HTTP_REFERRER.
2) You take that string, and use it as part of two bash commands.

This doesn't look very safe. :-)

Properly-escaped $HTTP_REFERER string could confuse the bash code enough
that your script can overwrite local files. Or maybe read and pipe data you
don't want it to (/etc/passwd, your .bash_history, etc.). Nothing here
prevents an overflow string (say, a 2000 byte HTTP_REFER) from occuring. You
could break this right now by sending a HTTP_REFERER that contains a space.
It wouldn't matter to your script if spaces aren't "allowed" in REFERER

I'd suggest avoiding bash altogether because it has weak security and weak
string management. Perl (also PHP) is no magic bullet, but there's a lot
more reference material for securing Perl scripts. Take a look on for some referrer loggers, etc., and see if there are any
safeguards you could copy.

If I were a little better at security (or had more time) I'd reply with an
example script that Does Bad Things, so take this with a grain of salt..


----- Original Message -----
From: "Seth Gordon" <sethg at>
To: <discuss at>
Sent: Monday, March 31, 2003 4:45 PM
Subject: Famous last words: "surely this CGI script is safe"

> I've composed this CGI shell script as an example of backlink-tracing:
> [begin]
> #!/bin/bash
> echo "Content-type: text/plain"
> echo
> # If the linking page isn't in the referers file, add it.
> grep --quiet $HTTP_REFERER referers || echo $HTTP_REFERER >> referers
> echo
> echo "Links to this page have been followed from the following URLs:"
> echo
> cat referers
> [end]
> Other than filling up my partition with spurious URLs, is there any
> damage that a malicious outsider could do with this script?
> --
> "Your labour is only worth something to the extent that it saves someone
> else having to do it."  --Paul Foley
> // seth gordon // sethg at // //
> _______________________________________________
> Discuss mailing list
> Discuss at

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /