The CGI and SSI Threat

Apache itself is very reliable and reasonably secure. The biggest threat to server security is the code that you or your users write for the server to execute. Two sources of these problems are Common Gateway Interface (CGI) programs and Server Side Includes (SSI).

One of the biggest threats to server security is badly written CGI programs. Intruders exploit poor code by forcing buffer overflows or by passing shell commands through the program to the system. The only way to avoid this and still have the benefit of CGI programs, which can be written in C, Perl, Python, and other programming languages, is to be very careful about the code that you make available on your system. Here are some basic preventative measures to keep in mind:

• Personally review all programs included in the cgi-bin directory.

• Try to write programs that do not allow free-form user input.

• Use drop-down menus instead of keyboard input.

• Limit what comes in to your system from the user.

To make it easier to review all CGI scripts, keep them all in the ScriptAlias directory. Don't allow ExecCGI in any other directory unless you're positive no one can place a script there that you have not personally reviewed. (The way ExecCGI and other server options are controlled is covered in the next section.)

Server Side Includes is also called Server Parsed HTML, and the files often have the .shtml file extension. These files are processed by the server before they are sent to the client. These files can include other files or execute code from script files. If user input is used to dynamically modify the SSI file, it is vulnerable to the same type of attacks as CGI scripts.

SSI commands are embedded inside HTML comments. Therefore, each SSI command begins with <!— and concludes with —>. The SSI commands are listed in Table 6.2.

Table 6.2: Server Side Includes Commands




Formats the display of file size and time.


Displays variables.


Executes a CGI script or a shell command.


Displays the date a document was last modified.


Displays the size of a document.


Inserts another file into the current document.

The most secure way to operate a server is to disallow all SSI processing. This is the default unless All or Includes is specified by an Options directive in the httpd.conf file. A compromise setting is to allow SSI, but to disallow the #include and #exec commands, which are the greatest security threat. Use IncludesNOEXEC on the Options directive for this setting.

Was this article helpful?

0 0

Post a comment