View Source

Original issue date: May 29, 1996<BR>
Last revised: September 24, 1997<BR>
Updated copyright statement

<P>A complete revision history is at the end of this file.

<P>Many sites that maintain a Web server support CGI programs. Often
these programs are scripts that are run by general-purpose
interpreters, such as /bin/sh or PERL. If the interpreters are located
in the CGI bin directory along with the associated scripts, intruders
can access the interpreters directly and arrange to execute arbitrary
commands on the Web server system.  This problem has been widely
discussed in several forums. Unfortunately, some sites have not
corrected it.

<P>The CERT Coordination Center recommends that you never put
interpreters in a Web server's CGI bin directory.

<P>We will update this advisory as we receive additional
information. Please check advisory files regularly for updates that
relate to your site.

<HR>

<H2>I. Description</H2>

<P>To execute CGI scripts, a Web server must be able to access the
interpreter used for that script. Early documentation for Netscape and
other servers recommended placing the interpreters in the CGI bin
directory to ensure that they were available to run the script.

<P>All programs in the CGI bin directory can be executed with
arbitrary arguments, so it is important to carefully design the
programs to permit only the intended actions regardless of what
arguments are used. This is difficult enough in general, but is a
special problem for general-purpose interpreters since they are
designed to execute arbitrary programs based on their arguments. *All*
programs in the CGI bin directory must be evaluated carefully, even
relatively limited programs such as gnu-tar and find.

<P>Note that the directory for CGI programs is typically called
"cgi-bin" but the server may be configured to use a different name.

<H2>II. Impact</H2>

<P>If general-purpose interpreters are accessible in a Web server's
CGI bin directory, then a remote user can execute any command the
interpreters can execute on that server.

<H2>III. Solution</H2>

<P>The solution to this problem is to ensure that the CGI bin
directory does not include any general-purpose interpreters, for
example

<UL> PERL
<BR> Tcl
<BR> UNIX shells (sh, csh, ksh, etc.)</UL>
A variety of methods can be used to safely install such interpreters; methods
vary depending on the system and Web server involved.

<P>On Unix systems, the location of the interpreter is given on the
first line of the script:

<UL>#! /path/to/interpreter</UL>

<P>On other systems, such as NT, there is an association between
filename extensions and the applications used to run them. If your Web
server uses this association, you can give CGI scripts an appropriate
suffix (for example, ".pl" for PERL), which is registered to the
appropriate interpreter. This avoids the need to install the
interpreter in the CGI bin directory, thus avoiding the problem.

<P>Check with your Web server vendor for specific information.

<P>Netscape reports that the 2.0 versions of their FastTrack and
Enterprise Servers, (both the current Beta and upcoming final
versions), do support file interpreter associations.

<P>Further reading:

<P>Tom Christiansen has a Web page with details about this problem and
a script that can be used to test for it:<A HREF="http://perl.com/perl/news/latro-announce.html"></A>

<P><A HREF="http://perl.com/perl/news/latro-announce.html">http://perl.com/perl/news/latro-announce.html</A>

<P>Lincoln Stein's WWW Security FAQ includes a section on "Problems
with Specific Servers," which discusses this and related problems:
<A HREF="http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html"></A>

<P><A HREF="http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html">http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html</A>

<P><HR>

<P>The CERT Coordination Center thanks Lincoln Stein, Tom
Christiansen, and the members of AUSCERT and DFN-CERT for their
contributions to the information in this advisory.

<HR>

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1996 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
Sep. 24, 1997 Updated copyright statement
Aug. 30, 1996 Removed references to CA-96.11.README.
</PRE>