CERT-SEI

Sanitizing User-Supplied Data in CGI Scripts

Original issue date: November 10, 1997
Last revised: July 15, 2003
Fixed cgi_metacharacters link

A complete revision history is at the end of this file.

The CERT Coordination Center has received reports and seen mailing list discussions of a problem with some CGI scripts, which allow an attacker to execute arbitrary commands on a WWW server under the effective user-id of the server process. The problem lies in how the scripts are written, NOT in the scripting languages themselves.

The CERT/CC team urges you to check all CGI scripts that are available via the World Wide Web services at your site and ensure that they sanitize user-supplied data. We have written a tech tip on how to do this (see Section III).

We will update the tech tip (rather than this advisory) if we receive additional information.


I. Description

Some CGI scripts have a problem that allows an attacker to execute arbitrary commands on a WWW server under the effective user-id of the server process. The cause of the problem is not the CGI scripting language (such as Perl and C). Rather, the problem lies in how an individual writes his or her script. In many cases, the author of the script has not sufficiently sanitized user-supplied input.

II. Impact

If user-supplied data is not sufficiently sanitized, local and remote users may be able to execute arbitrary commands on the HTTP server with the privileges of the httpd daemon. They may then be able to compromise the HTTP server and under certain configurations gain privileged access.

III. Solution

We strongly encourage you to review all CGI scripts that are available via WWW services at your site. You should ensure that these scripts sufficiently sanitize user-supplied data.

We recommend carrying out this review on a regular basis and whenever new scripts are made available.

For advice about what to look for and how to address the problem, see our tech tip on meta-characters in CGI scripts, available from

http://www.cert.org/tech_tips/cgi_metacharacters.html

Note that because this problem is of a general nature, the tech tip demonstrates only the concept of the problem and its solution. The programmer and/or system administrator must ensure that any solution implemented is robust and does not break intended functionality.

If you believe that a script does not sufficiently sanitize user-supplied data then we encourage you to disable the script and consult the script author for a patch.

If the script author is unable to supply a patched version, sites with sufficient expertise may wish to patch the script themselves, adapting the material in our tech tip to meet whatever specification is required (such as the appropriate RFC).

(NOTE: We cannot offer any further assistance on source code patching than that given in the tech tip mentioned above.)


The CERT Coordination Center thanks Wietse Venema for some of the material used in the cgi_metacharacters tech tip.

We thank Mark Mills, Andrew McNaughton and Greg Bacon for their communication with us about the content of the tech tip.


Copyright 1997, 1998 Carnegie Mellon University.


Revision History
Jul. 15, 2003 Fixed cgi_metacharacters link
Feb. 13, 1998 Updated tech tip, and removed Appendix A
Nov. 13, 1997 Minor editorial change
Nov. 12, 1997 Updated the Appendix to fix coding error