----------------------------------------------------------------------------

Service

http

Problem

Making a copy of a general purpose programming language available in a CGI
directory is a serious mistake.

Impact

Internet users can have arbitrary commands executed on the machine by the
owner of the http daemon.

Timeliness

Widely known.

Recommendation

Take care with respect to what programs you make available in the CGI
director(ies) of your server, and, in particular, do not make powerful
general purpose programming languages available to arbitrary remote users.

Description

The necessity of careful scrutiny of the contents of a servers cgi directory
is very well known. However, it still seems to be a common error. In
particular, it seems relatively common for NT sites to have a copy of perl
in their cgi-bin directory. This allows people to pass their own perl
programs as urls to the server to be executed;

http://your.machine/cgi-bin/perl?-e+print%20q@Content%2dType%3a%20text%2fplain%0a%0aHello,%20World!%0a@
http://your.machine/scripts/perl.exe?-e+print%20q@Content%2dType%3a%20text%2fplain%0a%0aHello,%20World!%0a@

are two harmless example.

20th February 1996 - Lincoln Stein has recently pointed out that because the
Netscape NT server does not use the NT File Manager's associations between
file extensions and applications, even though files with the .pl (or other)
extension are associated with the perl interpreter, they are not recognised
as such when in the cgi-bin directory. This, combined with the DOS CGI
problem makes CGI programming difficult with the current version of the NT
Netscape servers. His suggestion is to switch to a NT server that uses the
File Manager extension associations.

