The Problem:

I find a lot of surprising security problems as I work on client’s sites. Even large, reputable companies often have gross security issues. I know more than anyone how difficult it can be to get a cgi script installed and working. It’s tempting to walk away without double-checking the security. One of the most common things that I see is poor security of the cgi-bin. Depending on the setup of your server, someone can take total control of your account easily through a poorly secured cgi-bin.

The particular problem i’m writing about involves writable files/directories within your cgi-bin, or scripts that make calls to external programs (like sendmail). These are both very common types of scripts that you would find in just about any cgi-bin.

The writable file issue is that most cgi scripts rely on a datafile to store their information. In some cases, they need an entire writable directory to store data (file uploads, etc). The tricky part is that you have to allow the script write access to the file/directory. If your server is running as “nobody” then you need to allow world write access to the file. This is dangerous because other users on the server also have the ability to run under the “nobody” user - which means they can also write to those files. Some servers are configured so that scripts execute under your own userid. Otherwise sensible people are fooled into thinking that they are protected by this. Although it does protect you from the “nobody” exploits, it actually make the potential damage much worse if you have poor security settings.

The issue with scripts that make calls to external programs (like Formail for sending email via sendmail, etc) is that if they are not coded properly, someone can input malicious text that causes an arbitrary shell command to run in addition to the sendmail command. This command will run under whatever userid that the original script has.

One dangerous situation is a script that allows file uploads and it’s writable directory is in the cgi-bin. Any script like this should have serious security checks in place to prevent malicious files from being uploaded. If the script doesn’t check file types as they upload, any anonymous user can upload a script or executable file right to your cgi-bin.

Another situation is on a virtual host where you share your account with lots of other users. This exploit is only available to people who have an account on your machine, however it is no less a problem. All users on your server can install cgi scripts in their account which run under the “nobody” permissions. If they install a simple command processing script, they can manipulate any file in your account that allows world write access.

So, take a look at your cgi-bin and look for any writable files or directories. Imagine what would happen if someone could edit or add any file there in your cgi-bin. A writable directory is particularly bad because the other person on your server can actually write a new script file there and then browse to the url to execute it.

Normally if someone can totally compromise your site in this way, they are limited to running as the user “nobody.” However, there is still quite a bit of damage that can be done. Formmail scripts can be installed to send spam. Scripts to snoop into your datafiles can be installed. Large files can be uploaded and shared (using your bandwith). I once had a client who incurred a $10,000 bandwidth bill after their server was compromised by hackers sharing video game software. Nothing more than “nobody” access is needed to do this.

If cgi-wrap is enabled, the situation is compounded because the scripts in your cgi-bin can be executed through cgi-wrap to run under your own userid. At that point, they own your account.

How To Secure cgi-bin:

There’s a few simple things that can help lock down your cgi-bin.

1. Never, ever have a file with both world-execute and world-write permissions. This can be overwritten with any arbritrary code by any user on your server. Once they overwrite, they can execute it through the browser. Scripts themselves should never require write permission. Read/Execute is fine (chmod 505 is nice and secure).

2. If possible, never have any writable directories or files in the cgi-bin. Not even writable by your own user id. there is no reason that a file needs to be writable within the cgi-bin. Depending on what scripts you have installed, this can be challenging. The solution is to move all datafiles to an area that is not accessible through the web browser. If this is not possible, see # 3

3. If you must have writable files or folders in the cgi-bin because of the functionality of a script, keep them in a subdirectory and put an .htaccess file in there that has the contents “deny from all” in it. Your scripts can still read/write files there, but nothing can be executed through the browser. if you are not able to put them in a separate directory, you can deny access to specific files using .htaccess.

4. Never give any permissions to the “group.” In UNIX you have three permissions to grant - owner, group, world. for example, chmod 644 grants 6 (rw) to owner, 4 (r) to group and 4 (r) to the world. The group is almost always other accounts on your server. You generally do not know these other users and there is no reason to give them any permissions for any file in your account. The middle value should always be zero. for example: chmod 604 gives the group 0 (no access) which is fine.

5. be very careful when cgi-wrap is enabled or your cgi-bin executes using your own account’s userid. in this case you have to make sure that nothing can be written arbitrarily into your cgi-bin even using your own account permissions. Keep in mind that you do not need permission to write to a script. You can remove the write permission even for yourself. If you need to change it later, you first change the permission to allow write, then change it back. It doesn’t need to sit there with write permissions. You have to be very cautious about what scripts are installed, because any script with an exploit can be dangerous. if someone can write or upload to your cgi-bin, they can create their own script and run it under you userid. If you use cgi-wrap, there is no reason for the group or the world to have any permissions on your files. so, you should change permissions something like this: chmod 400 (only you have read permission). scripts can be chmod 500. writable datafiles can be chmod 600, but should not be stored in a public area. remember that if someone can run arbitrary code as your userid, they own your account!

6. Try to break into your own account. Go through your scripts and try to upload a file that shouldn’t be allowed. Look at scripst that send email and see if you can enter data in such a way that code gets executed.

Summary:

The moral of the story is to be cautious with your cgi-bin. Especially look for writable files and directories. Never trust other users on your server. It may not seem important to take security seriously for your homepage with a bulletin board and formmail script. But there are malicious people out there always scanning for easy targets. Your data can be compromised or your bandwidth stolen - leaving you with the bill. A little bit of extra time can save you a lot of grief later.

Share This

How to Install Subversion Server on Windows using Apache

This is a walkthrough to install subversion server on Windows and make it available over http using Apache. Subversion is a version control system. In combination with Apache, you can allow local and remote developers to share source code.

This guide will use the following installation paths. You can change these as you like, but I’m going to use them in this walkthrough:

Apache = C:\Program Files\Apache Group\Apache2
Subversion = C:\Program Files\Subersion
Location of Repositories: C:\InetPub\svn\
Location of passfile: C:\InetPub\svn.pass
URL for Repositories: [url]http://localhost:8080/svn/[/url]

1. INSTALL APACHE

a. Download Apache from http://httpd.apache.org/download.cgi (Apache 2.0.55 is the current stable release at the time of this writing)

b. Run the Windows Installer. The defaults are fine. When you reach the Server Information dialog, you’ll be prompted to choose between installing on port 80 as a service, or on port 8080 with manual startup. Choose the service option on port 80 (we will change the port in the next step). Complete the install process accepting all defaults.

c. Since we are working on a Windows server, you probably already have IIS running on port 80. So, we need to pick another for Apache - this is really easy to change. Open the file C:\Program Files\Apache Group\Apache2\conf\httpd.conf in notepad.exe. Do a find (ctrl+f) for the word “listen” until you fine the line

Listen 80

Change the 80 to 8080 (or whatever port you want). For this example, I’m going to be using port 8080

d. Save http.conf and restart Apache to reflect the changes. You can do this through the services applet (Start -> Run services.msc) or also through the apache service monitor (This is the apache icon next to the clock in the taskbar)

e. Test that Apache is running by going to [url]http://localhost:8080/[/url] (you should get the default Apache welcome screen).

2. INSTALL SUBVERSION

a. Download The subervsion server binary for Windows. It’s currently located at http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=91
For these instructions, download the svn-x.x.x-setup.exe installer.

b. Run the Subversion server setup. All defaults are fine. At a certain point you’ll see an option about installing Apache Modules. As far as I can tell this does nothing, but whatever! I left it checked.

3. CONFIGURE APACHE SUBVERSION MODULES

a. We need to move the subversion modules so Apache can use the. To do that, copy the following files from C:\Program Files\Subversion\bin\ to C:\Program Files\Apache Group\Apache2\modules\

libdb42.dll
libeay32.dll
mod_authz_svn.so
mod_dav_svn.so

b. Open C:\Program Files\Apache Group\Apache2\conf\httpd.conf again and do a find for “LoadModule” - This should take you to a section where there are a bunch of LoadModule statements uncomment this line (delete the # from the beginning of the line):

LoadModule dav_fs_module modules/mod_dav_fs.so

Below that, add the following two lines:

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

Now scroll to the very botton of the file and paste the following.

<Location /svn>
DAV svn
SVNParentPath C:\InetPub\svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile C:\InetPub\svn.pass
#AuthzSVNAccessFile svnaccessfile
Require valid-user
</Location>

You can change these as you like, however this is what I’ll use for the instructions here. I happen to think these are reasonable defaults. The settings are probably somewhat self-explainitory, but for additional information read the fine Apache manual.

c. Restart Apache Again to load the configuration changes

d. Test that everything is working at this stage by going to [url]http://localhost:8080/svn/[/url] You should get prompted for login box. We haven’t created a username/password yet so just hit cancel.

4. CREATE A USERNAME/PASSWORD FOR HE APACHE DIRECTORY

a. We need to use htpasswd.exe in the Apache2/bin directory to edit the password files. this is a pain unless it is in your path, so I recommend adding it to your environmental PATH variable. (right-click My Computer -> Advanced -> Environmental Variables) Append the folling to the PATH variable: ;C:\Program Files\Apache Group\Apache2\bin

b. Create a blank file C:\InetPub\svn.pass

c. Open a new DOS windows (you need to open a new one to recognize the PATH changes)

d. go to C:\InetPub and type the following:

htpasswd snv.pass svnuser

You’ll be prompted for a password. enter whatever you want (svnpass for this example)

(This is the procedure you can repeat to add more users)

e. You can open svn.pass in notepad to make sure there is a user there - you should see “svnuser” followed by the crypted pass information.

5. CREATE A REPOSITORY

a. Open Windows explorer and create a folder C:\InetPub\svn

b. Open a DOS window and go to C:\InetPub\svn

c. Enter the following:

svnadmin create myrepository

(You can repeat this process to create additional repositories - I am just choosing the name myrepository for testing purposes)

d. Give it a test by opening [url]http://localhost:8080/svn/myrepository/[/url] and entering the username/pass you created in step 4 (in this example svnuser / svnpass) If everything is working right, then you should see “Revision 0″ in the browser.

Contratulations - You’re Done!

6. USING YOUR REPOSITORY

If you need instructions for using subversion, I’d recommend downloading TortoiseSVN from http://tortoisesvn.tigris.org/ and reading the documentation. Although setting up the server is a bit of work, using the client is pretty easy.

When you use your client to connect to the server, your subversion repository will always start with http://your.domain.com/svn/ (as opposed to some public repositories that start with svn://your.domain.com/) Otherwise, the usage is exactly the same.

If you haven’t managed a Subversion server, you may not know how to initialize your repository. Basically, each time you create a new repository, you have to initialize it by doing an import. You have to add at least one file to the repository. To do this, just create a blank folder on your computer, put at least 1 file in there (I put a readme.txt or whatever). Then use your subversion client “import” command. This will initialize the repository at version 1. At that point, you can check in and out as you always do.

THE END

Share This

There is a problem with IE and PHP applications is certain instances where an intermittent blank page appears instead of the expected content.

This seems to relate to an earlier bug reported by Microsoft with IE 6 where the content length was reported as 0 during POST requests. This occured when browsing sites running UNIX/Apache with keepalive enabled. However, I’ve discovered that the same problem occurs intermittently with certain PHP applications and GET requests.

One workaround which solves the problem (although with a performance hit) is to create an .htaccess file in the root directory with the following setting:

[code]
BrowserMatch “MSIE” nokeepalive downgrade-1.0 force-response-1.0

SetEnvIf User-Agent “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
[/code]

This workaround disables keepalive for all IE 6 clients. I imagine this would have a negative performance effect, however it is likely preferable to a buggy application.

I haven’t been able to determine if certain PHP code techniques could be causing the problem. I read certain people presuming that it could be session related, however, i went as far as removing all session functionality from an application, however it did not solve the problem.

Share This