IPL Perl Lecture Notes

up

Perl Lecture Notes - Mar 8
Security 101 and a bit about Email

CGI Security
- Many, many various issues in www security in general:
  server security, cgi security, authentication, crypto, privacy, denial of service attacks, ...
- Here I'll stick (mostly) to issues around cgi scripts.
  - The problem with CGI scripts is that each presents yet another opportunity for exploitable bugs." - Lincoln Stein
  - All user input must be checked and kept in its place.
  - Other information from the outside - environment variables, PATH, IP address, referer, hidden variables, etc, should also be treated skeptically.
    Two examples: don't put price tags in hidden fields, and don't trust the referer value set by apache - the browser sets this. See pg 203 in CGI Programming
  - Don't allow the size of the data you're reading to overflow the buffer you're putting it in. (This is not typically a problem in perl.)
  - Make sure your script has enough privileges to do it's job, but not more than it needs. (Changing the user id of your script is called "setuid"; see below.)
  - Trust no one. They are out to get you.
- "Escaping" examples - some classic boo-boos
  - Shell escape
    - 1st figlet - the problem : code - run it
      (To see it run corrupted corrupted, input 'hi; /bin/cat /etc/passwd')
    - 2nd figlet : fixed by allowing only "good" characters. code - run it
    - 3nd figlet : fixed by a safer kind of shell command code - run it
  - Html escape - "cross scripting" (Thanks Brandt.)
    - apache.org's page on the subject and the CERT advisory
      (If you've never seen CERT, it's site is worth a visit.)
    - <script> example : target - exploit
    - other sites - brattleboro.vt.us, www.bestwebbuys.com/books/ - put in, for example "foo<blink>hi</blink>"
    - This is using correct https and authentication, because the exploit is happening on their website. It just doesn't have the html they expect, since they didn't do the proper checking on the input.
    - This does not require <script> - can insert other html, say an extra form button that sends your credit number to someone else...
    - Read more at this March 4 2002 CERT paper on the topic
  - Moral: Verify that user input has the format you expect. Don't let user input "escape" into the wrong context. In particular, don't display the raw user's text, even as an error message, and don't let that text be interpreted by the operating system shell.
  - Note that there are (at least) 4 different language contexts, each with own quoting : programming language (i.e. perl), html, url, OS shell
    - CGI.pm has (minimally documented) subroutines for HTML and URL escaping.
    - code - run it
    - Also see the CPAN URI.pm which contains URI::Escape as well as HTML::Entities for other modules which do this.
- Perl Taint mode
  - what it is (from the Camel book, page 559) :
    "The principle is simple: you may not use data derived outside your program to affect something else outside your program - at least, not by accident. Anything that comes from outside your program is marked as tainted, including all command-line arguments, environment variables, and file input. Tainted data may not be used directly or indirectly in any operation that involves a subshell, nor in any operation that modifies files, directories, or processes."
  - why you should use it: (ibid)
    "If you aren't executing your CGI scripts under taint mode, you've needlessly abandoned the strongest protection Perl can give you. "
  - why you won't like it:
    If you think "use strict" is bad, you ain't seen nothin' yet. Taint mode is very restrictive, and prohibits all kinds of things that you would typically like to do. Taint mode enforces a stricter discipline than found in typical Perl scripts.
  - setuid and taint: Perl turns on Taint mode automatically whenever the real and effective user or group id's are different. Pratically speaking, this means that any setuid script automatically runs under taint mode. For more "normal" scripts, you turn on taint mode by invoking perl with "perl -T" (or "perl -wT")
  - a "tainted" variable is a property that propagates to all other variables that one touches.
```
  #!/usr/bin/perl -T
  $a = 3;                   # untainted
  $b = $ENV{HTTP_REFERRER}  # tainted - comes from outside this code
  $line = <STDIN>     # tainted
  $c = $b . $a;             # tainted because $b is tainted
  $d = `ls`;                # FATAL ERROR - "ls" depends on PATH,
			    #   which comes from outside the program.
```
  - Variables may be converted from tainted to untainted only by using regular expression matching. The idea is that you're "fixing" the bad parts with the regular expression.
```
  #!/usr/bin/perl -T
  $word = <STDIN>	    # tainted
  # only keep this word if it is made up of only word characters
  if ($line =~ /^([\w]+)$/)  { $string = $1 }    # now its untainted
  else                       { die "non word char in string" }
```
  - back to the cgi_figlet example
    - original with taint mode on - run it
    - changes to make it run with taint on - run it
  - That's enough for a start - see the readings below for the details , as well as the Taint Mode FAQ
- setuid scripts
  - what - setting up your script to run with extra privileges
  - how - sticky bit in unix : "chmod u+s script.cgi"
  - why use them - some executables (like "passwd") need more privileges than the person using them
  - security risks - lots. Try to avoid when possible.
  - see WWW Security FAQ, Q50
  - See also my setuid examples from last year
- Different levels of user access have different problems
  - lowest - visitors from anywhere in the world: lots of 'em, but fewest avenues into your stuff.
  - intermediate - local network folks and users on server: sniffing
  - highest - cgi authors on server: lots of power
    From apache.org:
    Allowing users to execute CGI scripts in any directory should only be considered if:
    1.You trust your users not to write scripts which will deliberately or accidentally expose your system to an attack.
    2.You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.
    3.You have no users, and nobody ever visits your server.
  - An example of power that cgi authors have : given your privileges on bob, can you read the passwords in these directories? (I'll give the answer next time.)
  - The moral of this story is that if you really want to run a secure server, don't put any user accounts on it. And while you're making it into just a server, shut down all the services (telnet, ftp, ...) that you don't need.
- other issues
  - encryption and signatures (also called "hashes", i.e. MD5): https, ssl, various CPAN modules
  - authentication : by ip address (but can be spoofed), by password (but can be intercepted or guessed)
  - cookies : what to put in them (date, ip address, session id) , what not to put in them (username, password)
  - typical secure authentication scenario :
    1. use https
    2. ask for a username/password once
    3. set session ID in cookie or url ( see Apache::Session )
  - race conditions : subtle timing glitches, i.e. first testing to see if a file exists and then trying to open it - maybe it changed status between the tests. See pg 571 of the Camel.
  - casual use of temporary files : writing to files like /tmp/foo.$$ . All /tmp/ files are open to any user, and so vulnerable to other users on the system. See pg 573 of the Camel.
  - "use Safe;" - a sandbox for evaluating suspect code.
Email from Perl
- I've found that it's often helpful to have your cgi script send out email. And it's pretty easy:
- from the Cookbook, pg 650
  - two ways : roll your own or with the CPAN Mail::Mailer (in MailTools)
  - I've tried to
  - source - run it
- It's also pretty straightforward to have an automatic agent read and handle mail, such as for an automated email list or whatever.
  - create a user account for the agent, i.e. agent@server.org
  - put the line "|/path/to/program/script.pl" in .forward
  - script.pl will be executed and will read the mail on STDIN.
  - An example from my dawndance.org work :
    .forward file has this: \mahoney, "|/home/faculty-staff/mahoney/.email/filter.pl"
    email_filter.pl source records emails from Paypal ticket purchases
  - Or, Recipe 18.5 in the Cookbook shows how to use Net::POP3 to read email directly from a POP3 server.
Resources
- CGI Programming MetaFAQ - Security section
- Lincoln Stein's WWW Security FAQ
- L. Stein also has a full book out called Web Security : a Step-by-Step Reference Guide which is quite nice.
- 21 Rules for Secure CGI and 5 rules for perl
- apacheweek featured articles - selected 2001 articles, including a "Security" section
- J. Hall article looking at perl cgi security issues.
- some security examples I wrote up for last year's class.
  (Many of these are disabled, but there's still a few different exploits there.)
- CERT - the internet security site
- CPAN MailTools module.
  (You can also find the Mail::Mailer documentation here on bob.)
Assignment:
- Read some stuff on CGI security
  - chapter 8 in CGI Programming with Perl
  - section 19.4, pg 679 in the Perl Cookbook
  - chapter 23 in the Camel
  - Browse the WWW Security FAQ,
    particularly sections 6 (CGI Scripts) and 7 (Safe Scripting in Perl)
  - Browse any of the other articles and tutorials I've listed somehere up above.
- Read a bit on email and cgi scripts
  - chapter 9 in CGI Programming, "Sending Email"
  - recipe 18.3 in the Cookbook, pg 650 - "Sending Mail"
- Turn on taint mode (-T) in at least one perl script you've already written, and make whatever changes needed to get it to run that way. Look at your scripts for any other security flaws, particularly whether or not you test the form of user input. Post a brief note in the gradebook describing what you found.
- Entirely Optional: As an illustration that folks who can write CGI scripts on a server (like you can on bob) can pretty much do whatever the httpd deamon can, see if you can figure out how to read the passwords in these directories? (I'll give the answer next time.)

Ta ta.