Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 80 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
80
Dung lượng
556,76 KB
Nội dung
530 Part IV ✦ Securing Your Web Site All of these constructions are risky if they involve user input that may contain shell meta-characters. For system() and exec(), there’s a somewhat obscure syntactic feature that enables you to call external programs directly rather than going through a shell. If you pass the arguments to the external program as separate elements in a list rather than in one long string, Perl will not go through the shell and shell meta-characters will have no unwanted side effects. For example: system “/usr/bin/sort”,”data.dat”; You can take advantage of this feature to open up a pipe without going through a shell. Calling the character sequence -| forks a copy of Perl and opens a pipe to the copy. Then, the child copy immediately forks another program using the first argument of the exec function call. To read from a pipe without opening a shell, you can do something similar with the sequence -|: open(GREP,”-|”) || exec “/usr/bin/grep”,$userpattern,$filename; while (<GREP>) { print “match: $_”; } close GREP; These forms of open() are more secure than the piped open() and, therefore, you should use these whenever possible. Note that there are many other obscure features in Perl that enable you to call an external program and to lie to it about its name. This is useful for calling programs that behave differently depending on the name by which they were invoked. The syntax is: system $real_name “fake_name”,”argument1”,”argument2” One trick used by vandals is to alter the PATH environment variable so that it points to the program they want your script to execute, rather than to the program you’re expecting. You should invoke programs using full pathnames rather than relying on the PATH environment variable. That is, instead of this fragment of Perl code: system(“cat /tmp/shopping.cart.txt”); use this: system “/bin/cat” , “/tmp/shopping.cart.txt “; If you must rely on the PATH variable, set it yourself at the beginning of your CGI script, as follows: $ENV{‘PATH’}=”bin:/usr/bin:/usr/local/bin”; i4821-2 ch18.F 2/22/02 10:30 AM Page 530 531 Chapter 18 ✦ Web Security Even if you don’t rely on the PATH variable when you invoke an external program, there’s a chance that the invoked program will; therefore, you need to include the previous line toward the top of your script whenever you use taint checks. You have to adjust the line for the list of directories that you want searched. Also, in general, it’s not a good idea to put the current directory ( .) into the path. Wrapping CGI Scripts The best way to reduce CGI-related risks is not to run any CGI scripts at all; however, in the days of dynamic Web content, this is unrealistic. Perhaps you can centralize all CGI scripts in one location and closely monitor their development to ensure that they are well-written. In many cases, especially on ISP systems, all users with Web sites want CGI access. In this situation, it might be a good idea to run CGI scripts under the user ID (UID) of the user who owns the CGI script. By default, CGI scripts that Apache runs use the Apache UID. If you run these applications using the owner’s UID, all possible damage is limited to what the UID is permitted to access. In other words, a bad CGI script run with a UID other than the Apache server UID can damage only the user’s files. The user responsible for the CGI script will become more careful, because the possible damage will affect his or her content solely. In one shot, you get increased user responsibility and awareness and, simultaneously, a limited area for potential damage. To run a CGI script using a UID other than the Apache server, you need a special type of program called a wrapper, which enables you to run a CGI script as the user who owns the file rather than as the Apache server user. Some CGI wrappers do other security checks before they run the requested CGI scripts. The following sections discuss two popular CGI wrappers. suEXEC Apache comes with a support application called suEXEC that provides Apache users with the ability to run CGI and SSI programs under UIDs that are different from the UID of Apache. suEXEC is a setuid wrapper program that is called when an HTTP request is made for a CGI or SSI program that the administrator designates to run as a UID other than that of the Apache server. When such a request is made, Apache provides the suEXEC wrapper with the program’s name and the UID and GID. suEXEC runs the program using the given UID and GID. Before running the CGI or SSI command, the suEXEC wrapper performs a set of tests to ensure that the request is valid. Among other things, this testing procedure ensures that the CGI script is owned by a user who is allowed to run the wrapper and that the CGI directory or the CGI script is not writable by anyone but the owner. After the security checks are successful, the suEXEC wrapper changes the UID and the group ID (GID) to the target UID and GID via setuid and setgid calls, respectively. The group-access list is also initialized with all groups in which the user is a member. suEXEC cleans the process’s environment by establishing a safe execution PATH (defined during configuration), as well as by passing through only i4821-2 ch18.F 2/22/02 10:30 AM Page 531 532 Part IV ✦ Securing Your Web Site those variables whose names are listed in the safe environment list (also created during configuration). The suEXEC process then becomes the target CGI script or SSI command and executes. This may seem like a lot of work — and it is — but this provides a great security coefficient, as well. Configuring and installing suEXEC If you are interested in installing suEXEC support in Apache, run the configure (or config.status) script as follows: ./configure prefix=/path/to/apache \ enable-suexec \ suexec-caller=httpd \ suexec-userdir=public_html suexec-uidmin=100 \ suexec-gidmin=100 suexec-safepath=”/usr/local/bin:/usr/bin:/bin” Here is the detailed explanation of this configuration: ✦ enable-suexec: Enables suEXEC support. ✦ suexec-caller=httpd: Change httpd to the UID you use for the User directive in the Apache configuration file. This is the only user who will be permitted to run the suEXEC program. ✦ suexec-userdir=public_html: Defines the subdirectory under users’ home directories where suEXEC executables are to be kept. Change public_html to whatever you use as the value for the UserDir directive, which specifies the document root directory for a user’s Web site. ✦ suexec-uidmin=100: Defines the lowest UID permitted to run suEXEC-based CGI scripts. In other words, UIDs below this number won’t be able to run CGI or SSI commands via suEXEC. Look at your /etc/passwd file to make sure that the range you chose does not include the system accounts that are usually UIDs below 100. ✦ suexec-gidmin=100: Defines the lowest GID permitted to be a target group. In other words, GIDs below this number won’t be able to run CGI or SSI commands via suEXEC. Look at your /etc/group file to make sure that the range you chose does not include the system account groups that are usually UIDs below 100. ✦ suexec-safepath=”/usr/local/bin:/usr/bin:/bin”: Defines the PATH environment variable that gets executed by suEXEC for CGI scripts and SSI commands. Enabling and testing suEXEC After you install both the suEXEC wrapper and the new Apache executable in the proper location, restart Apache, which will write a message similar to this: [notice] suEXEC mechanism enabled (wrapper: /usr/local/sbin/suexec) i4821-2 ch18.F 2/22/02 10:30 AM Page 532 533 Chapter 18 ✦ Web Security This tells you that the suEXEC is active. Now, test suEXEC’s functionality. In the httpd.conf file, add these lines: UserDir public_html AddHandler cgi-script .pl The first directive (UserDir) sets the document root of a user’s Web site to be ~username/public_html, where username can be any user on the system. The second directive associates the cgi-script handler with the .pl files. This is done so that Perl scripts with .pl extensions can run as CGI scripts. For this test, you will need a user account. In this example, I use the host wormhole.nitec.com and a user called kabir. Copy the script shown in Listing 18-4 to a file called test.pl and put it in a user’s public_html directory. In my case, I put the file in the ~kabir/public_html directory. Listing 18-4: A CGI Script to Test suEXEC Support #!/usr/bin/perl # # Make sure the preceding line is pointing to the # right location. Some people keep perl in # /usr/local/bin. my ($key,$value); print “Content-type: text/html\n\n”; print “<h1>Test of suEXEC<h1>”; foreach $key (sort keys %ENV){ $value = $ENV{$key}; print “$key = $value <br>”; } exit 0; To access the script via a Web browser, I request the following URL: http:// wormhole.nitec.com/~kabir/test.pl . A CGI script is executed only after it passes all the security checks performed by suEXEC. suEXEC also logs the script request in its log file. The log entry for my request looks as follows: [2001-03-29 16:00:22]: uid: (kabir/kabir) gid: (kabir/kabir) cmd: test.pl If you are really interested in knowing that the script is running under the user’s UID, insert a sleep command (such as sleep(10);) inside the foreach loop, which will slow the execution and allow you to run commands such as top or ps on your Web server console to learn the UID of the process running test.pl. You also can i4821-2 ch18.F 2/22/02 10:30 AM Page 533 534 Part IV ✦ Securing Your Web Site change the ownership of the script by using the chown command; try to access the script via your Web browser after changing ownership, and see the error message that suEXEC logs. For example, when I change the ownership of the test.pl script in the ~kabir/public_html directory as follows: chown root test.pl I get a server error, and the log file shows the following line: [2001-03-29 16:00:22]: uid/gid (500/500) mismatch with directory (500/500) or program (0/500) Here, the program is owned by UID 0, and the group is still kabir (500), so suEXEC refuses to run it, which means suEXEC is doing what it is supposed to do. To ensure that suEXEC will run test.pl in other directories, I created a cgi-bin directory in ~kabir/public_html and put test.cgi in that directory. After determining that the user and group ownership of the new directory and file are set to user ID kabir and group ID kabir, I accessed the script by using the following command: http://wormhole.nitec.com/~kabir/cgi-bin/test.pl If you have virtual hosts and want to run the CGI programs and/or SSI commands using suEXEC, you must use User and Group directives inside the <VirtualHost . . .> container. Set these directives to user and group IDs other than those the Apache server is currently using. If only one, or neither, of these directives is specified for a <VirtualHost> container, the server user ID or group ID is assumed. For security and efficiency reasons, all suEXEC requests must remain within either a top-level document root for virtual host requests or one top-level personal document root for userdir requests. For example, if you have four virtual hosts configured, you need to structure all of your virtual host document roots off of one main Apache document hierarchy to take advantage of suEXEC for virtual hosts. CGIWrap CGIWrap is similar to the suEXEC program insofar as it permits users to use CGI scripts without compromising the security of the Web server. CGI programs are run with the file owner’s permission. In addition, CGIWrap performs several security checks on the CGI script and is not executed if any checks fail. Nathan Neulinger writes CGIWrap; the latest version of CGIWrap is available from the primary FTP site at ftp://ftp.cc.umr.edu/pub/cgi/cgiwrap/. CGIWrap is used via a URL in an HTML document. As distributed, CGIWrap is configured to run user scripts that are located in the ~/public_html/cgi-bin/ directory. i4821-2 ch18.F 2/22/02 10:30 AM Page 534 535 Chapter 18 ✦ Web Security Configuring and installing CGIWrap CGIWrap is distributed as a gzip-compressed tar file. You uncompress it by using gzip and extract it by using the tar utility. Run the Configure script, which prompts you to answer many questions. Most of these questions are self-explanatory. Also note that there is a feature in this wrapper that differs from suEXEC. It enables you to create allow and deny files that can be used to restrict access to your CGI scripts. Both of these files have the same format, as shown in the following: User ID mailto:Username@subnet1/mask1,subnet2/mask2. . . You can either have a single username (nonnumeric UID) or a user mailto:ID@subnet/mask line where one or more subnet/mask pairs can be defined. For example, if the following line is found in the allow file (you specify the filename), mailto:kabir@192.168.1.0/255.255.255.0 user kabir’s CGI scripts are permitted to be run by hosts that belong in the 192.168.1.0 network with netmask 255.255.255.0. After you run the Configure script, you must run the make utility to create the CGIWrap executable. Enabling CGIWrap To use the wrapper application, copy the CGIWrap executable to the user’s cgi-bin directory. This directory must match the directory that you specified in the configuration process. The simplest way to get things going is to keep the ~username/public_html/cgi-bin type of directory structure for the CGI script directory. After you copy the CGIWrap executable, change the ownership and permission bits as follows: chown root CGIWrap chmod 4755 CGIWrap Create three hard links or symbolic links called nph-cgiwrap, nph-cgiwrapd, and cgiwrapd to CGIWrap in the cgi-bin directory as follows: ln [-s] CGIWrap cgiwrapd ln [-s] CGIWrap nph-cgiwrap ln [-s] CGIWrap nph-cgiwrapd i4821-2 ch18.F 2/22/02 10:30 AM Page 535 536 Part IV ✦ Securing Your Web Site On my Apache server, I specified only the cgi extension as a CGI script; therefore, I renamed my CGIWrap executable to cgiwrap.cgi to get it to work. If you have similar restrictions, you might try this approach or make a link instead. Now, execute a CGI script as follows: http://www.yourdomain.com/cgi-bin/cgiwrap/username/scriptname To access user kabir’s CGI script test.cgi on the wormhole.nitec.com site, for example, I would use the following: http://wormhole.nitec.com/cgi-bin/cgiwrap/kabir/test.cgi If you want to see debugging output for your CGI, specify cgiwrapd instead of cgiwrap, as in the following URL: http://www.yourdomain.com/cgi-bin/cgiwrapd/username/scriptname If the script is an nph-style script, you must run it using the following URL: http://www.yourdomain.com/cgi-bin/nph-cgiwrap/username/scriptname Hiding clues about your CGI scripts When a vandal scans a Web site for possible holes, the vandal looks for little things that provide clues about the underlying hardware and software used for the Web site. So, the fewer clues you provide about your system, the greater the chance that your Web site will not become the vandal’s next victim. There are several ways to hide some of the important details that could become clues. Use a nonstandard script alias Use of cgi-bin alias is very popular. As soon as you see a URL with cgi-bin you know the site runs CGI scripts of some sort. This alias is set using the ScriptAlias directive in Apache’s httpd.conf file. For example: ScriptAlias /cgi-bin/ “/path/to/real/cgi/directory/” But only few people realize that you can use anything to create an alias like this. For example: ScriptAlias /apps/ “/path/to/real/cgi/directory/” Now the apps in a URL serves the same purpose as cgi-bin. So, if you use something similar to: ScriptAlias /dcon/ “/path/to/real/cgi/directory/” i4821-2 ch18.F 2/22/02 10:30 AM Page 536 537 Chapter 18 ✦ Web Security it certainly will confuse some vandals because dcon, or whatever you really use, is nonstandard. Also, remember that many vandals use automated programs to scan Web sites for features and other clues. A nonstandard script alias such as the above is not likely to be incorporated in any automated program. Use nonextension names for your CGI scripts Many sites boldly showcase what type of CGI scripts they run. For example: http://www.domain.com/cgi-bin/show-catalog.pl the above URL provides two clues about the site. First, it tells us that the site supports CGI scripts, and second, that the site runs Perl scripts as CGI scripts. If the above site instead used: http://www.domain.com/ext/show-catalog it is harder to determine anything about the site. Use of the .pl or .cgi extension should be avoided because these extensions provide clues about your system. To change an existing a script’s extension from .pl, .cgi, and so on to a non-extension name, simply rename the script. You do not need to change or add any new Apache configuration for switching to nonextension names. Like CGI scripts, SSI scripts pose a few security risks. They are discussed below. Using CGI Scanners CGI scanners are used to scan a Web server for CGI script-related vulnerabilities. There are two scanners that I like: cgichk.pl and Whisker. cgichk.pl This is a simple CGI scanner written in Perl. You can download the source from www.packetstorm.securify.com. When run from the command line using perl cgichk.pl command, it asks you to enter a host name for the Web server you want to scan and a port number (default 80) . You can also choose to log the results in a file. cgichk.pl first checks the HTTP protocol version being used by the Web server. For example, the following sample session shows that cgichk.pl is scanning a host called rhat.nitec.com. CGI scanner [in Perl] v1.1 Host: rhat.nitec.com HTTP Port [80]: Log Session?(y/n)y Log File [rhat.nitec.com.scan]: i4821-2 ch18.F 2/22/02 10:30 AM Page 537 538 Part IV ✦ Securing Your Web Site Press [enter] to check the httpd version HTTP/1.1 200 OK Date: Tue, 27 Mar 2001 04:50:47 GMT Server: Apache/2.0.14 (Unix) Last-Modified: Mon, 26 Mar 2001 20:23:13 GMT ETag: “1ba42-1000-c65eee40” Connection: close Content-Type: text/html; charset=ISO-8859-1 After it detects the protocol version, cgichk.pl will ask you to press the enter key to start checking for CGI vulnerabilities. The following output is a sample scan for CGI security issues on rhat.nitec.com Web server running Apache 2.0. Searching for UnlG - backdoor : Not Found Searching for THC - backdoor : Not Found Searching for phf : Not Found Searching for Count.cgi : Not Found Searching for test-cgi : Not Found Searching for nph-test-cgi : Not Found Searching for nph-publish : Not Found Searching for php.cgi : Not Found Searching for handler : Not Found Searching for webgais : Not Found Searching for websendmail : Not Found Searching for webdist.cgi : Not Found Searching for faxsurvey : Not Found Searching for htmlscript : Not Found Searching for pfdisplay : Not Found Searching for perl.exe : Not Found Searching for wwwboard.pl : Not Found Searching for www-sql : Not Found Searching for view-source : Not Found Searching for campas : Not Found Searching for aglimpse : Not Found Searching for glimpse : Not Found Searching for man.sh : Not Found Searching for AT-admin.cgi : Not Found Searching for filemail.pl : Not Found Searching for maillist.pl : Not Found Searching for jj : Not Found Searching for info2www : Not Found Searching for files.pl : Not Found Searching for finger : Not Found Searching for bnbform.cgi : Not Found Searching for survey.cgi : Not Found Searching for AnyForm2 : Not Found Searching for textcounter.pl : Not Found Searching for classifields.cgi : Not Found Searching for environ.cgi : Not Found Searching for wrap : Not Found Searching for cgiwrap : Not Found Searching for guestbook.cgi : Not Found i4821-2 ch18.F 2/22/02 10:30 AM Page 538 539 Chapter 18 ✦ Web Security Searching for edit.pl : Not Found Searching for perlshop.cgi : Not Found Searching for anyboard.cgi : Not Found Searching for webbbs.cgi : Found! Searching for environ.cgi : Not Found Searching for whois_raw.cgi : Not Found Searching for _vti_inf.html : Not Found Searching for service.pwd : Not Found Searching for users.pwd : Not Found Searching for authors.pwd : Not Found Searching for administrators : Not Found Searching for shtml.dll : Not Found Searching for shtml.exe : Not Found Searching for args.bat : Not Found Searching for uploader.exe : Not Found Searching for rguest.exe : Not Found Searching for wguest.exe : Not Found Searching for bdir - samples : Not Found Searching for CGImail.exe : Not Found Searching for newdsn.exe : Not Found Searching for fpcount.exe : Not Found Searching for counter.exe : Not Found Searching for visadmin.exe : Not Found Searching for openfile.cfm : Not Found Searching for exprcalc.cfm : Not Found Searching for dispopenedfile : Not Found Searching for sendmail.cfm : Not Found Searching for codebrws.asp : Not Found Searching for codebrws.asp 2 : Not Found Searching for showcode.asp : Not Found Searching for search97.vts : Not Found Searching for carbo.dll : Not Found Server may have CGI vulnerabilities. Notice the line in bold. The scan found a potential CGI security risk. The webbbs.cgi script can be abused by script kiddies and wanna-be hackers to break into the system. If your scan identifies one or more security risks, consider removing the scripts or updating them with appropriate fixes. Whisker Whisker is a Perl-based CGI scanner that I like a lot. You can download the source distribution from www.filesearch.ru. After it is downloaded, extract the source in a directory and run the whisker.pl script as perl whisker.pl -h hostname. For example, perl whisker -h rhat.nitec.com command runs the scanner on the Apache Web server running on the named host. The result is shown below: = Host: rhat.nitec.com = Server: Apache/2.0.14 (Unix) + 200 OK: HEAD /cgi-bin/webbbs.cgi + 200 OK: HEAD /manual/ + 200 OK: HEAD /temp/ i4821-2 ch18.F 2/22/02 10:30 AM Page 539 [...]... set of measures such as controlled CGI and SSI requests as explained in the preceding material, you should focus your efforts on logging ✦ ✦ ✦ 541 i4 82 1 -2 ch 18. F 2/ 22/ 02 10:30 AM Page 5 42 i4 82 1 -2 ch19.F 2/ 22/ 02 10:30 AM Page 543 19 C H A P T E R Securing Apache with SSL ✦ ✦ ✦ ✦ In This Chapter O nly a few years ago, the Internet was still what it was initially meant to be — a worldwide network for scientists... Your SSL-enabled Apache server is ready for testing Testing your SSL connection After you start the Apache server with the /usr/local /apache/ bin/apachectl startssl command, you should be able to access your SSL site by using https://localhost/ or https://your _server_ hostname/ from local (on the Web server itself) or remote Web clients 561 i4 82 1 -2 ch19.F 5 62 2 /22 / 02 10:30 AM Page 5 62 Part IV ✦ Securing... DES-EDE3-CBC,C48E9F2F597AF9 68 47f4qGkVrfFfTNEygEs/uyaPOeAqksOnALtKUvADHKL7BhaB+8BrT/Haa7MHwEzU jjaRd1XF1k1Ej3qH6d/Zl0AwVfYiAYvO1H3wQB2pllSuxui2sm7ZRkYUOpRMjxZI /srHn/DU+dUq11pH3vJRw2hHNVjHUB0cuCszZ8GOhICa5MFGsZxDR+cKP0T2Uvf5 jlGyiMroBzN0QF0v8sqwZoSOsuKHU9ZKdA/Pcbu+fwyDWFzNfr8HPNTImlaMjGEt i9LWZikzBW2mmaw79Pq6xSyqL+7dKXmiQL6d/bYiH0ZUYHjMkJtqUp1fNXxJd4T6 kB8xVbvjPivo1AyvYK0qmmVQp7WDnEyrrYUZVyRu0a+1O50aTG2GnfSy32YGuNTY... support, follow these steps: 1 As root change the directory to the Apache source distribution (/usr/local/src/httpd_version) directory i4 82 1 -2 ch19.F 2/ 22/ 02 10:30 AM Page 559 Chapter 19 ✦ Securing Apache with SSL 2 Copy the Apache- SSL patch kit (apache_ version+ssl_version.tar.gz) file in the current directory and extract it using the tar xvzf apache_ version+ ssl_version.tar.gz command 3 Run patch -p1 . preceding material, you should focus your efforts on logging. ✦✦✦ i4 82 1 -2 ch 18. F 2/ 22/ 02 10:30 AM Page 541 i4 82 1 -2 ch 18. F 2/ 22/ 02 10:30 AM Page 5 42 Securing Apache with SSL O nly a few years ago, the Internet. Tue, 27 Mar 20 01 04:50:47 GMT Server: Apache/ 2. 0.14 (Unix) Last-Modified: Mon, 26 Mar 20 01 20 :23 :13 GMT ETag: “1ba 42- 1000-c65eee40” Connection: close Content-Type: text/html; charset=ISO -88 59-1 After. Port [80 ]: Log Session?(y/n)y Log File [rhat.nitec.com.scan]: i4 82 1 -2 ch 18. F 2/ 22/ 02 10:30 AM Page 537 5 38 Part IV ✦ Securing Your Web Site Press [enter] to check the httpd version HTTP/1.1 20 0