********************* by Chawmp
* - Hacking CGI - * homepage: http://home.cyberarmy.com/chawmp
* - Version 1.01c - * email: tom@holodeck.f9.co.uk
********************* ICQ: 2724168
Introduction
------------
CGI programs are a major source of security holes. On a typical site the server
and config files may be secure, but if CGI programs are not meticulously
checked before they are used then serious security flaws can often be
uncovered.
If at any time you are having difficulty, see the Notes section near the bottom
of this document.
CGI basics
==========
The letters "CGI" stand for "Common Gateway Interface". CGI is a way to add
flexibility to websites by providing a mechanism for programs to be executed on
the server (sometimes with input from the user on the client-side), and for
their output to be displayed back to the client (or just logged somewhere on
the server for later inspection). These programs can be written in any
language, but by far the most common is perl. Perl is ideal for handling
text-based input easily, so it's the language of choice for many CGI
developers. Usually the term "CGI script" actually refers to "perl script".
What makes a CGI program dangerous?
===================================
There are, for example, several places where CGI programs are made available
for free. If you downloaded a set of perl scripts from a site such as this you
would probably expect them to be bug-free and install them without a second
thought. There are also the problems of time and operator competence. Most
people don't have the time or the knowledge to go through a 5000-line bulletin
board script to find that single vulnerable statement. This isn't just limited
to free scripts though. Some very high-profile professional script-packages
have recently been found to be vulnerable to attack.
Preparation
===========
If you know what script a site is using and it's freely available, get it! By
examining the code and playing with it on your own system you'll be able to
find holes a lot more easily than by just guessing. And your failed attempts
won't be noticed by the server administrator.
Methods of attack
=================
Insecure shell calls
--------------------
This applies to CGI programs written in many languages, but most commonly perl.
If the program does not treat user input carefully there is a risk that a
malicious user may craft it to be processed by the program in a dangerous way.
Consider this example. The classic vulnerable "mail" script, for example a
feedback form. A website visitor is asked for comments that will be sent to the
webmaster's email address by a script running on the server.
-- vuln1.html - The submission form --
Thankyou for visiting my site. Please submit your comments and suggestions
here: