Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Ovid (2709)

Ovid
  (email not shown publicly)
http://publius-ovidius.livejournal.com/
AOL IM: ovidperl (Add Buddy, Send Message)

Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.

Journal of Ovid (2709)

Thursday July 27, 2006
07:21 AM

MS (again) flunks security 101(with Python and Perl CGI)

[ #30443 ]

As pointed out in this blog entry and verified in Microsoft's knowledge base, Microsoft is giving out some pretty dangerous security advice on how to set up Python CGI. Basically, the IIS mapping the recommend for Python CGI is "C:\Python20\python.exe %s %s". The problem, as noted in the blog:

Unfortunately this is not just wrong, but possibly dangerous. The first problem is that it'll break if a CGI script's filename has a space in it, because everything after the space becomes parameters to the script. Secondly, if the script name starts with a hyphen, it become a flag to the Python interpreter. And there are some dangerous flags—for example -c allows you to execute any Python code.

If the ‘check file exists’ option is turned on, this is only an annoyance in that you can't use script names with these characters in. However if turned off an attacker would be able to abuse these holes without you having to provide a script with a weird name.

The solution is to put the ‘%s’s in quotes, and ensure that the ‘check file exists’ option is always on.

Oh, wait! Naturally, I had to do some digging. Looks like they have similarly bogus advice for Perl. Curiously, the latter link shows up as a blank page in my Firefox but renders just fine in IE.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.