Wrapper programs and scripts can be used to enhance security when using CGI scripts.They can provide security checks, control ownership of a CGI process, and allow users to run the scripts without compro-mising your Web server’s security. In using wrapper scripts, however, it is important to understand what they actually do before they are imple-mented on your system.
CGIWrap is a commonly used wrapper that performs a number of security checks.These checks are run on the script before it executes. If any one of these fails, then the script is prohibited from executing. In addition to these checks, CGIWrap runs scripts with the permissions of the user who owns it. In other words, if you ran a script wrapped with CGIWrap, which was owned by a user named “bobsmith,” the script would execute as if bobsmith was running it. It would have the same permissions associated with that account, and would have access to only the files that this account could access. If a hacker exploits security holes in the script, he or she would only be able to access the files and folders to which bobsmith has access.This makes the owner of the CGI pro-gram responsible for what it does, but also simplifies administration over the script. However, because the CGI script is given access to whatever its owner has access to, this can become a major security risk if you
accidentally leave an administrator account as owner of a script.
CGIWrap can be found on SourceForge’s Web site, http://sourceforge .net/projects/cgiwrap.
Whisker
Whiskeris a command-line remote-assessment tool that you can use to scan a Web site for vulnerabilities in CGI scripts and programs. It is a CGI script itself, which is written in Perl, and can easily be installed on your site. Once there, you can scan your own network for problems, or specify other sites to analyze.
Whisker is different from most CGI scanners available, in a number of ways. Foremost to this is that it won’t run checks on your system that don’t apply to the Web server being used.This is because it begins its scan by querying the type and version of Web server being used.This means that this tool won’t look for vulnerabilities and files exclusive to Internet Information Server on non-Microsoft Web servers.
Another benefit of whisker is that it allows you to specify multiple directories where CGI scripts may be stored. Although CGI programs will generally reside in the CGI-BIN directory, this may not always be the case. A number of sites will mistakenly place their scripts in the same directory as their HTML documents, which have the read permission for all users.This permission allows users to view the Web pages, and anything else in that directory.While this is a security risk, many CGI scanners won’t recognize that the scripts exist, because they are only looking in the CGI-BIN directory. In addition, many Web servers allow you to specify a different name for the directory storing these scripts and programs. As such, you can name the CGI-BIN anything you’d like.
When a CGI scanner is run, it will again fail in finding a CGI-BIN directory, and return that no scripts exist, or that no vulnerabilities were found. Because whisker allows you to specify multiple directories, you can set where whisker will look, and properly scan the CGI scripts for vulnerabilities that could be exploited.
Whisker is free, and is available from www.wiretrip.net/rfp. Because it is written in Perl, you can open it using a viewer and analyze exactly what it does. In addition, once installed, you will need to open it to
make some modifications.To use whisker, you will need to open the file called whisker.pl, and modify the first line:
#!/usr/bin/perl
This line points to the Perl interpreter on your Web server, and may reside in a location that’s different from the path shown here. In a Unix environment, to find your local path to Perl, you can simply type this command:
which perl
Once this is done, upload it to your Web server, so that it resides in a directory that’s accessible to you with a Web browser. Once the files are on your server, you will then need to open a Web browser to access it.
This is done by entering your Web site’s URL into the address bar of your Web browser, followed by the directory containing whisker, and the filename whisker.pl. For example, if your site is www.freebsd.com, and you place whisker into a directory called “whisker,” you would enter the URL www.freebsd.com/whisker/whisker.pl into the address bar of your browser. Upon pressing Enter, the script will execute, and display the screen shown in Figure 4.4.
Figure 4.4Whisker
In the field labeled “Target host to scan,” enter the host you’d like to scan.You can enter the URL (e.g., www.freebsd.com) or the IP address in this field.This doesn’t have to be the URL or IP address of the site on which whisker is installed.You can enter any Web site into this field, and whisker will scan it for vulnerabilities.
The second field on the whisker CGI scan form is used to specify the port to scan. By default, a Web server will use port 80 for HTTP requests. However, this can be changed on the Web server so that a dif-ferent port is used.
Below this field are three check boxes that allow you to specify what information will be displayed in the results of your scan.The options available here are:
■ Use virtual hosts
■ Display supporting information
■ Verbose results
“Use virtual hosts” is an option that allows you to scan virtual hosts when possible.Virtual hosts are additional domain names that use the same IP address.This is common for ISPs that may provide site hosting for multiple Web sites. Rather than everyone having to use a single domain name (for example, www.freebsd.com), each site can use a dif-ferent domain name although the server uses a single IP address.The
“Display supporting information” check box specifies that you want additional information displayed with the results. For example, if an Apache Web server were being run, then the supporting information would show that “Apache prior to 1.2.5 had various problems.” It will reveal the paths of various files, their purpose, where additional informa-tion can be found, and so forth. Finally, “Verbose results” is used to pro-vide detailed information on what was acquired from the scan. Because these are check boxes, you can combine them to control the informa-tion returned from the scan.
Below this, you can specify the request methods.There are four pos-sible request methods that can be used by whisker to retrieve information:
■ Head
■ Get
■ Get w/ byte-range
■ Get w/ socket close
The default method used by whisker is “Head.”This method is the same as the GET method, but it doesn’t return document bodies; it only returns HTTP headers. GET is a method that retrieves data that is speci-fied in a URL.The responding site returns the data that is requested. In this case, the information would be the results of tests performed by whisker.
Once you’ve specified the site, information to be displayed, and method, you merely click run whiskerand wait for the results to be displayed.This CGI program will create a Web page, allowing you to view the results of your analysis, and click on hyperlinks to various directories on that server.This will include files (including password files) that can be clicked on for viewing.