Webnet77 Christian web host



Hosting Packages


Up to 40 GB storage!
Unmetered Traffic!

 

Christian
web hosting

Security of your site - Dangerous Software!
 

OTHER ARTICLES OF INTEREST

META TAGS, Copyright, Spam Mail, Traffic Tips, Secure Email, SSL Certificates, New Site Checklist

CGI SECURITY IN GENERAL


Is there such a thing as dangerous software? Absolutely! The Internet abounds with it. Unfortunately, Thousands of Webmasters download dangerous software every day, totally oblivious to the fact that they might as well have put a huge banner on their site saying KICK ME!

Any program code running on an Internet server is a potential security risk simply because it is an executable program, anyone from anywhere on the Internet can call and execute it. Imagine if you had an exe on your PC's desktop that anyone could execute anytime they wanted; wouldn't that program need to be super-secure? Any PHP or CGI script is like that!

What make it worse is the fact that most programs accept parameters (your name, address and email for example in a mail form) making them especially vulnerable to exploitation from malicious attack. To learn more about Server security in general, click here.
 

THE PROBLEM


It is true to say that the Internet is not the "safe" place it was 5 or 8 years ago when it was much smaller. Driven by the lust for money and infamy, SPAMMERS and hackers have become the scourge of the Internet. They employ the skills of whoever they can find to help them practice their illegal trade (Make no mistake, spam and server hacking is illegal) - even some of the top programmers help them from time to time. After all, it pays good money!

What this means for you if you have a website is that you dare not use any old script (we are referring to server side scripts) you find on any old site and install it on yours. If you do, you are likely to get yourself into a lot of serious trouble -- not only with your hosting company but also with the law. This is how it works. Badly written scripts can be used for a number of things. Here are four of the most common ones.

A badly written piece of code can be used to:

Hijack your mail server
Why would someone want to do this? The answer lies in the law - spamming is illegal in most countries and get you prison time for doing it these days. If a spammer can use your website to send a couple of million (that is not a typo) SPAM emails, you will get into trouble with the law because it was your website that sent the spam.

Hijack your site or even the whole server
Ever seen all the Messages on a family friendly Message Board replaced with porn images? Or a whole website gone AWOL? That's the kind of thing we mean. Even more sinister is when the perpetrator uses stealth to intercept your email and monitor your outgoing mail - credit card numbers, passwords and other personal information can all be stolen in this fashion.

Hack other servers
Hacking of several servers is normally used by hackers when they want to orchestrate a massive DDOS (Distributed Denial of Service) attack on another [big] server like Yahoo or Hotmail. They normally install what is called a root kit which gives the hacker a "back door" into the server whenever he wants it.

Attack other servers
They refer to this as a DOS (Denial of Service) attack. One or more servers gang up on another server and overload it with data so that it crashes. You may remember from the news that Yahoo and Hotmail were attacked in this way not so long ago. Obviously this is illegal and there is serious prison time if the hackers get caught. Why do they do it? Beats me! Probably because they can.

Attack other end user PC's
Malicious code uploaded not by you but by a hacker (illegally and without your permission) onto your website can easily be used to attack the PC's of the people visiting your site. Other code uploaded to your site that sends out a virus email to thousands of people is yet another one of many ways your website can be used to attack the very people you are trying to encourage to visit your website.
 

WHERE IT STARTS


A customer once sent us the following Perl code (see THE CODE below) which he got off some free site with the following comment:

"I have got some cgi script from ____. It looks really neat. What do you think?"

Whilst we are pleased the customer had the forethought to check first, we are horrified at what we saw in the code...
 

THE CODE

Text Version

#!/usr/bin/perl
if ($ENV{'REQUEST_METHOD'} eq 'POST') {
# Get the input
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Split the name-value pairs
@pairs = split(/&/, $buffer);
# Load the FORM variables
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
open (MESSAGE,"| /usr/lib/sendmail -t");
# Format email header information
print MESSAGE "To: $FORM{submitaddress}\n";
if ($FORM{email} ne "") {
print MESSAGE "Reply-To: $FORM{email}\n";
}
# Write the actual email message
print MESSAGE "Subject: Feedback from $FORM{name} at $ENV{'REMOTE_HOST'}\n\n";
if ($FORM{email} ne "") {
print MESSAGE "Email: $FORM{email}\n"; }
if ($FORM{reply} eq "yes") {
print MESSAGE "Please reply.\n\n"; }
print MESSAGE "What sayeth thou?\n\n";
print MESSAGE "$FORM{feedback}\n";
# Thank the user and acknowledge
# the feedback
&thank_you;
}

Image Version with pretty colors :)

OBSERVATIONS - WHAT'S WRONG WITH THE CODE


This is exactly the kind of poorly written code unwitting webmasters download and install onto servers and end up either getting the whole server or their mail servers hijacked. It is one example of hundreds (maybe even thousands) of a very poorly written script one gets from hundreds of places on the Internet. In less than 5 minutes we were able to isolate a several major reasons why this particular piece of code should never be used on anyone's website.

  • Firstly, the TO email address is passed to the script from a "hidden" field in an HTML form on the WWW. The script does absolutely no checking of the referring IP or URL which means it can be called from anywhere - any 12 year old with some computer savvy could hijack this script and have your site pumping out thousands of spam emails an hour!
     

  • The $pair/$value variables are never parsed - so the script can be sent any characters you -- or worse still, the attacker wants!.
     

  • NO validation of any kind is done on the email address. On some versions of sendmail this could cause a lot of problems if the script was being maliciously called.
     

  • NO error trapping is done if sendmail does not open or close properly.
     

  • There is no warn (or die) directive if sendmail does not close properly (because it never gets closed in the first place!) meaning there will be no record in the server log for diagnostic purposes if something does go wrong.

AS A WEBMASTER WHAT SHOULD YOU DO


Even if you are an experienced, seasoned desktop programmer, unless you are an experienced Perl, PHP or Python programmer this probably applies to you too! (Fact is, most programmers are familiar with Desktop, PC and client software. Server software -- especially Internet software -- is an entirely different animal).

  • Never download software from hey check out my cool free software type of sites. You will be buying yourself a whole world of trouble in most cases.
     

  • Never modify scripts if you are not 100% sure. A customer recently modified a script he bought - he changed 4 lines of code. In just one of them he made a mistake. Just one line is all it took to get his mail server hijacked!
     

  • Never download and install software you cannot find running on other [reputable] sites somewhere else on the Internet.
     

  • Never use Form mail from Matt's Script archive. On our servers we will suspend any domain that uses Form Mail. There are many excellent, secure mail scripts. The search engine is your friend here. Search for "secure form mail with CAPTCHA" - if you are not sure of your choice, we are happy to help.
     

  • DO NOT download software from places like CGI Resources, Hot Scripts etc unless you are sure the author knows what s/he is doing. (We have nothing against these websites. On the contrary, they have many excellent scripts. The problem is anyone who thinks he's a programmer can write code and submit it to them and they make no distinction between secure and badly written software). If you want to find decent software to use on your site go to places like Perl.com or the Comprehensive Perl Archive Network and look there. Use the sites they recommend to get the software you need. (There is still no guarantee the software you download will be secure, but you stand a far better chance there than at the places where any wannabee can publish code.
     

  • Always be extra careful of using software that invokes any of the following. These are not security risks per se but are often the point of entry to a badly written script for the crafty hacker
     

    • Executes system commands from within the script,

    • sends email,

    • Accesses and manipulates files on a server,

    • receives information from the internet e.g. name, email address etc.

    • Deletes files or directories,

    • accesses and manipulates an SQL database,

    • There are probably many more but these are the ones we have found to be most problematic.
       

  • Always check with your someone more knowledgeable than yourself before installing software on your site.
     

  • Always check with other webmasters webmasters -- if you can -- that yourself if a script is safe to use.
     

  • Always search for more information on the background of the author/company of the particular script you want to use. Look for sites that do software and security reviews and see if you can dig up anything there. The search engine is your friend. Use it.
     

  • If you are not an experienced programmer find someone who is to help you find secure PHP/CGI programs for your site.
    NOTE: Delphi, VB, any flavor of C for Desktop PC's doesn't count, experienced means experienced with web servers.
     

  • The Search engine is your friend - Always do a search on the software you intend to install/purchase. Look for review sites that have commented especially on the security aspects of the software and stay away from it if there any any negative reports.
     

RESOURCES FOR FURTHER STUDY


By no means exhaustive, the following list of sites should give you a bit more insight as to the reality and dangers of poorly written Scripts:

OUR POLICY - IT'S YOUR RESPONSIBILITY TOO


As with any responsible server administration, we are highly conscious of security issues. As a webmaster, you should be just as security conscious simply because it makes the Internet a better place for all. Your website is hosted on a server with many other sites. The negligence of one could seriously impact on all.

There is no way we (or any other host for that matter) could wade through hundreds of customer sites and manually check each and every script. That would mean checking thousands (or hundreds of thousands!!) of files. It is simply not possible. We depend and rely on our customers to act responsibly and to take reasonable care of the security of their sites. This applies especially to the software installed on them. Having said that, the security of your website is your responsibility -- you agreed to that when you signed up. Be careful, be vigilant be aware.

Always ask if you are not sure. We are here to help :)
 

OTHER ARTICLES OF INTEREST

META TAGS, Copyright, Spam Mail, Traffic Tips, Secure Email. SSL Certificates, New Site Checklist



Copyright 2002- Webnet77.com. All Rights reserved.
TOS::AUP::Privacy