Page 344 - StudyBook.pdf
P. 344

328    Chapter 5 • Communication Security: Web Based Services


                in and uploaded a new home page for the site. Within 24 hours of the
                contest being won, a patch was released for the security hole.
                     Although the Web server, the Macintosh platform, and the programs
                on the server had been properly configured and had suitable security, the
                combination of these with the CGI scripts created security holes that
                could be used to gain access. Not only does this case show how CGI pro-
                grams can be used to hack a site, it also shows the need for testing after
                new scripts are added, and shows why administrators should limit the CGI
                programs used on a Web site.

             CGI Wrappers

             Wrapper programs and scripts can be used to enhance security when using CGI
             scripts.They can provide security checks, control ownership of a CGI process, and
             allow users to run the scripts without compromising the Web server’s security. In
             using wrapper scripts, however, it is important to understand what they actually do
             before implementing them on a system.
                 CGIWrap is a commonly used wrapper that performs a number of security
             checks.These checks are run on each CGI script before it executes. If any one of
             these fails, the script is prohibited from executing. In addition to these checks,
             CGIWrap runs each script with the permissions of the user who owns it. In other
             words, if a user ran a script wrapped with CGIWrap, which was owned by a user
             named “bobsmith,” the script would execute as if bobsmith was running it. If a
             hacker exploited security holes in the script, they would only be able to access the
             files and folders to which bobsmith has access.This makes the owner of the CGI
             program responsible for what it does, but also simplifies administration over the
             script. However, because the CGI script is given access to whatever its owner can
             access, this can become a major security risk if the administrator accidentally leaves
             an administrator account as owner of a script. CGIWrap can be found on
             SourceForge’s Web site, http://sourceforge.net/projects/cgiwrap.

             Nikto

             Nikto is a command-line remote-assessment tool that you can use to scan a Web
             site for vulnerabilities in CGI scripts and programs. In performing this audit of
             your site, it can seek out misconfigurations, insecure files and scripts, default files
             and scripts, and outdated software on the site. However, because it can make a sig-
             nificant amount of requests to the remote or local server being checked, you
             should be careful to only analyze the sites you have permission to assess. Some




          www.syngress.com
   339   340   341   342   343   344   345   346   347   348   349