Networking / Beginners

The CGI and SSI Threat

Apache itself is very reliable and reasonably secure. The biggest threat to server security is the code that you or your users write for the server to execute. Two sources of these problems are Common Gateway Interface (CGI) programs and Server Side Includes (SSI).

One of the biggest threats to server security is badly written CGI programs. Intruders exploit poor code by forcing buffer overflows or by passing shell commands through the program to the system. The only way to avoid this and still have the benefit of CGI programs, which can be written in C, Perl, Python, and other programming languages, is to be very careful about the code that you make available on your system. Here are some basic preventative measures to keep in mind:

  • Personally review all programs included in the cgi-bin directory.
  • Try to write programs that do not allow free-form user input.
  • Use drop-down menus instead of keyboard input.
  • Limit what comes in to your system from the user.

To make it easier to review all CGI scripts, keep them all in the ScriptAlias directory. Don't allow ExecCGI in any other directory unless you're positive no one can place a script there that you have not personally reviewed. (The way ExecCGI and other server options are controlled is covered in the next section.)

Server Side Includes is also called Server Parsed HTML, and the files often have the .shtml file extension. These files are processed by the server before they are sent to the client. These files can include other files or execute code from script files. If user input is used to dynamically modify the SSI file, it is vulnerable to the same type of attacks as CGI scripts.

SSI commands are embedded inside HTML comments. Therefore, each SSI command begins with <!-- and concludes with -->. The SSI commands are listed in Table below.

Server Side Includes Commands 
Command 	Purpose
#config 	Formats the display of file size and time.
#echo 		Displays variables.
#exec 		Executes a CGI script or a shell command.
#flastmod 	Displays the date a document was last modified.
#fsize 		Displays the size of a document.
#include 	Inserts another file into the current document.

The most secure way to operate a server is to disallow all SSI processing. This is the default unless All or Includes is specified by an Options directive in the httpd.conf file. A compromise setting is to allow SSI, but to disallow the #include and #exec commands, which are the greatest security threat. Use IncludesNOEXEC on the Options directive for this setting.

[Previous] [Contents] [Next]

In this tutorial:

  1. Apache Web Server
  2. Installing Apache
  3. Running httpd
  4. Configuring the Apache Server
  5. The httpd.conf File
  6. Loading Dynamic Shared Objects
  7. Basic Server Directives
  8. Multi-Homed Server Configuration
  9. Defining Where Things Are Stored
  10. Creating a Fancy Index
  11. Defining File Types
  12. Managing Child Processes
  13. Performance Tuning Directives
  14. Caching Directives
  15. Defining Virtual Hosts
  16. Web Server Security
  17. The CGI and SSI Threat
  18. Server Options for Documents and Directories
  19. Directory-Level Configuration Controls
  20. Defining Access Controls
  21. Requiring User Authentication
  22. High-Performance User Authentication
  23. Configuring SSL
  24. Managing Your Web Server
  25. Monitoring Your Server
  26. Apache Logging
  27. Defining Log Formats
  28. Using Conditional Logging