Unix administration - Security tool to check CGI scripts for security holes/vulnerabities

This is Interesting: Free IT Magazines  
Home > Archive > Unix administration > January 2004 > Security tool to check CGI scripts for security holes/vulnerabities





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Security tool to check CGI scripts for security holes/vulnerabities
Trent Rivers

2004-01-23, 4:54 pm

I'm searching for a good security tool that I can use regularly to
scan all the programs/scripts in my web servers cgi-bin directory to
identify code that is creating security holes/vulnerbilites on the
server? Does such a thing exist??? Our web server is Apache 1.3.27 on
RH Linux 7.3.

Any pointers would be appreciated.
all mail refused

2004-01-23, 4:54 pm

In article <5d170c0c.0311201106.4e78f59@posting.google.com>,
Trent Rivers wrote:
quote:

>I'm searching for a good security tool that I can use regularly to
>scan all the programs/scripts in my web servers cgi-bin directory to
>identify code that is creating security holes/vulnerbilites on the
>server? Does such a thing exist??? Our web server is Apache 1.3.27 on
>RH Linux 7.3.


I've done some PERL stuff that looks for the likes of system() in its
one-argument form and open() with pipes. And lack of tainting on the #! line.
That was in the context of checks on the webserver too - httpd.conf writable
by non-root, files writable by the webserver child process user etc.

None of that was rocket science but as it is work I can't publish just
like that.

In fact the hardest part (which I still haven't clobbered) is figuring out
which of the 100 or so httpd.conf files on a box (I have a user population
requiring tomato bombardment) are actually in use. I thought of making
apache log details like that (files used, arguments used) to syslog so that
I can establish from that what's in use. I still haven't got round to
trying that mod.

I'm in favour of checking the code manually before it gets in place
but a regular automated check is nice too.

--
I was less than impressed when one of my staff last year suggested
tunneling ftp through ssh. -- Evpuneq Erivf
Todd H.

2004-01-23, 4:54 pm

matahnuva@yahoo.com (Trent Rivers) writes:
quote:

> I'm searching for a good security tool that I can use regularly to
> scan all the programs/scripts in my web servers cgi-bin directory to
> identify code that is creating security holes/vulnerbilites on the
> server? Does such a thing exist??? Our web server is Apache 1.3.27 on
> RH Linux 7.3.
>
> Any pointers would be appreciated.


There's a "useful testing tools" section on this page that you'll be
interested in.
http://www.securityfocus.com/infocus/1722

--
Todd H.
http://www.toddh.net/
Lassi =?iso-8859-1?Q?Hippel=E4inen?=

2004-01-23, 4:54 pm

"Todd H." wrote:
quote:

>
> matahnuva@yahoo.com (Trent Rivers) writes:
>
> There's a "useful testing tools" section on this page that you'll be
> interested in.
> http://www.securityfocus.com/infocus/1722
>
> --
> Todd H.
> http://www.toddh.net/


Another source of information:
http://www.linuxjournal.com//article.php?sid=5673

-- Lassi
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2009 webservertalk.com