Why Some Scripts are dangerous to use on your Website

JavaScript is currently disabled on your browser.

In order to use this website, you must have JavaScript enabled. For instructions on how to configure your browser, select from the list of supported browsers below:

Microsoft Internet Explorer for Windows

1. Select Internet Options from the Tools menu.
2. Click the Security tab.
3. Click Custom Level in Security Level for this Zone.
4. Scroll down to Scripting, near the bottom of the list.
5. Under Active Scripting, choose Enable.

Firefox/Mozilla Windows

1. Select Edit from the menu bar and click on Preferences.
2. Click on plus sign next to Advanced to show Advanced options.
3. Click on Scripts & Plugins.
4. Click on the checkbox next to Navigator under Enable JavaScript for.

Firefox/Mozilla Mac

1. Select Firefox/Mozilla from the menu bar and click on Preferences.
2. Click on triangle next to Advanced to expand the sub-menu if needed.
3. Click on Scripts & Plugins.
4. Click on checkbox next to Navigator under Enable JavaScript for.

Safari

1. Select Safari from the menu bar and click on Preferences.
2. Click on the Security icon.
3. Click on checkbox next to Enable JavaScript.

Hosting Packages

Up to 40 GB storage!
Up to 200GB Traffic!

Christian
web hosting

Home

About

Price/Features

Order

Help

Downloads

Tools

CONTACT US LOGIN

Security of your site - Dangerous Software!

OTHER ARTICLES OF INTEREST

META TAGS, Copyright, Spam Mail, Traffic Tips, Secure Email, SSL Certificates, New Site Checklist

CGI SECURITY IN GENERAL

Is there such a thing as dangerous software? Absolutely! The Internet abounds with it. Unfortunately, Thousands of Webmasters download dangerous software every day, totally oblivious to the fact that they might as well have put a huge banner on their site saying KICK ME!

Any program code running on an Internet server is a potential security risk simply because it is an executable program, anyone from anywhere on the Internet can call and execute it. Imagine if you had an exe on your PC's desktop that anyone could execute anytime they wanted; wouldn't that program need to be super-secure? Any PHP or CGI script is like that!

What make it worse is the fact that most programs accept parameters (your name, address and email for example in a mail form) making them especially vulnerable to exploitation from malicious attack. To learn more about Server security in general, click here.

THE PROBLEM

It is true to say that the Internet is not the "safe" place it was 5 or 8 years ago when it was much smaller. Driven by the lust for money and infamy, SPAMMERS and hackers have become the scourge of the Internet. They employ the skills of whoever they can find to help them practice their illegal trade (Make no mistake, spam and server hacking is illegal) - even some of the top programmers help them from time to time. After all, it pays good money!

What this means for you if you have a website is that you dare not use any old script (we are referring to server side scripts) you find on any old site and install it on yours. If you do, you are likely to get yourself into a lot of serious trouble -- not only with your hosting company but also with the law. This is how it works. Badly written scripts can be used for a number of things. Here are four of the most common ones.

A badly written piece of code can be used to:

Hijack your mail server
Why would someone want to do this? The answer lies in the law - spamming is illegal in most countries and get you prison time for doing it these days. If a spammer can use your website to send a couple of million (that is not a typo) SPAM emails, you will get into trouble with the law because it was your website that sent the spam.

Hijack your site or even the whole server
Ever seen all the Messages on a family friendly Message Board replaced with porn images? Or a whole website gone AWOL? That's the kind of thing we mean. Even more sinister is when the perpetrator uses stealth to intercept your email and monitor your outgoing mail - credit card numbers, passwords and other personal information can all be stolen in this fashion.

Hack other servers
Hacking of several servers is normally used by hackers when they want to orchestrate a massive DDOS (Distributed Denial of Service) attack on another [big] server like Yahoo or Hotmail. They normally install what is called a root kit which gives the hacker a "back door" into the server whenever he wants it.

Attack other servers
They refer to this as a DOS (Denial of Service) attack. One or more servers gang up on another server and overload it with data so that it crashes. You may remember from the news that Yahoo and Hotmail were attacked in this way not so long ago. Obviously this is illegal and there is serious prison time if the hackers get caught. Why do they do it? Beats me! Probably because they can.
Attack other end user PC's
Malicious code uploaded not by you but by a hacker (illegally and without your permission) onto your website can easily be used to attack the PC's of the people visiting your site. Other code uploaded to your site that sends out a virus email to thousands of people is yet another one of many ways your website can be used to attack the very people you are trying to encourage to visit your website.

WHERE IT STARTS

A customer recently sent us this piece of Perl code (see THE CODE below) which he got off some free site with the following comment:

"I have got some cgi script from ??????? because of that. You said I should contact you before I implement any such code. Attached is what I have started to look through let me know if I could carry on with this or is it a no no."

Whilst we are pleased the customer had the forethought to check first, we are horrified at what we saw in the code...

THE CODE

Text Version

#!/usr/bin/perl
if ($ENV{'REQUEST_METHOD'} eq 'POST') {
# Get the input
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Split the name-value pairs
@pairs = split(/&/, $buffer);
# Load the FORM variables
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
open (MESSAGE,"| /usr/lib/sendmail -t");
# Format email header information
print MESSAGE "To: $FORM{submitaddress}\n";
if ($FORM{email} ne "") {
print MESSAGE "Reply-To: $FORM{email}\n";
}
# Write the actual email message
print MESSAGE "Subject: Feedback from $FORM{name} at $ENV{'REMOTE_HOST'}\n\n";
if ($FORM{email} ne "") {
print MESSAGE "Email: $FORM{email}\n"; }
if ($FORM{reply} eq "yes") {
print MESSAGE "Please reply.\n\n"; }
print MESSAGE "What sayeth thou?\n\n";
print MESSAGE "$FORM{feedback}\n";
# Thank the user and acknowledge
# the feedback
&thank_you;
}

Image Version with pretty colors :)

OBSERVATIONS - WHAT'S WRONG WITH THE CODE

This is exactly the kind of poorly written code unwitting webmasters download and install onto servers and land up either getting the whole server or their mail servers hijacked. It is one example of hundreds (maybe even thousands) of a very poorly written script one gets from hundreds of places on the Internet. In less than 5 minutes we were able to isolate a several major reasons why this particular piece of code should never be used on any production server.

Firstly, the TO email address is passed to the script from a "hidden" field in an HTML form on the WWW. The script does absolutely no checking of the referring IP or URL which means it can be called from anywhere - any 12 year old with some computer savvy could hijack this script and have your site pumping out thousands of spam emails an hour!
The $pair/$value variables are never parsed - so the script can be sent any characters you -- or worse still, the attacker wants!. Click here for more information on this security risk.
NO validation of any kind is done on the email address. On some versions of sendmail this could cause a lot of problems if the script was being maliciously called. Click here for more information.
NO error trapping is done if sendmail does not open or close properly.
Sendmail is never closed ... Call the script a few thousand times a minute and you have thousands of open handles to sendmail. Ouch!
There is no warn (or die) directive if sendmail does not close properly (because it never gets closed in the first place!) meaning there will be no record in the server log for diagnostic purposes if something does go wrong.

AS A WEBMASTER WHAT SHOULD YOU DO

Even if you are an experienced, seasoned desktop programmer, unless you are an experienced Perl, PHP or Python programmer this probably applies to you too! (Fact is, most programmers are familiar with Desktop, PC and client software. Server software -- especially Internet software -- is an entirely different animal).

Never download software from hey check out my cool free software type of sites. You will be buying yourself a whole lot of trouble in most cases.
Never modify scripts if you are not 100% sure. A customer recently modified a script he bought - he changed 4 lines of code. In just one of them he made a mistake. Just one line is all it took to get his mail server hijacked!
Never download and install software you cannot find running on other [reputable] sites somewhere else on the Internet.
Never use Form mail from Matt's Script archive. On our servers we will suspend any domain that uses Form Mail. See Top ten security attacks in the last quarter of 2002 for more information.
DO NOT download software from places like CGI Resources, Hot Scripts etc unless are sure the author knows what s/he is doing. (We have nothing against these websites. On the contrary, they have many excellent scripts. The problem is anyone who thinks he's a programmer can write code and submit it to them and they make no distinction between secure and badly written software). If you want to find decent software to use on your site go to places like Perl.com or the Comprehensive Perl Archive Network and look there. Use the sites they recommend to get the software you need. (There is still no guarantee the software you download will be secure, but you stand a far better chance there than at the places where any wannabee can publish code.
Always be extra careful of using software that invokes any of the following. These are not security risks per se but are often the point of entry to a badly written script for the crafty hacker
- Executes system commands from within the script,
- sends email,
- Accesses and manipulates files on a server,
- receives information from the internet e.g. name, email address etc.
- Deletes files or directories,
- accesses and manipulates an SQL database,
- There are probably many more but these are the ones we have found to be most problematic.
Always check with your server admin before installing software on your site.
Always check with webmasters more experienced -- if you can -- that yourself if a script is safe to use.
Always search for more information on the background of the author/company of the particular script you want to use. Look for sites that do software and security reviews and see if you can dig up anything there. The search engine is your friend. Use it.
If you are not an experienced programmer find someone who is to help you find secure CGI programs for your site.
NOTE: Delphi, VB, any flavor of C for Desktop PC's doesn't count, experienced means experienced with web servers.
The Search engine is your friend - Always do a search on the software you intend to install/purchase. Look for review sites that have commented especially on the security aspects of the software and stay away from it if there any any negative reports.

RESOURCES FOR FURTHER STUDY

By no means exhaustive, the following list of sites should give you a bit more insight as to the reality and dangers of poorly written CGI programs and scripts:

The WWW Security FAQ - Important document!
Bugtraq
Writing Safe CGI programs
Writing Safe CGI Programs - has a useful section on Dangerous Characters.
Writing secure CGI scripts
Security-specific Programming Errors
CGI/Perl Taint Mode FAQ
More on Tainting
learn.perl.org
Perl.com - Main perl site
CPAN - humungous archive, books on CGI and more.
php.net
Python tutorial

OUR POLICY - IT'S YOUR RESPONSIBILITY TOO

As with any responsible server administration, we are highly conscious of security issues. As a webmaster, you should be just as security conscious simply because it makes the Internet a better place for all. Your website is hosted on a server with many other sites. The negligence of one could seriously impact on all.

There is no way we (or any other host for that matter) could wade through hundreds of customer sites and manually check each and every script. That would mean checking thousands (or hundreds of thousands!!) of files. It is simply not possible. We depend and rely on our customers to act responsibly and to take reasonable care of the security of their sites. This applies especially to the software installed on them. Having said that, the security of your website is your responsibility -- you agreed to that when you signed up. Be careful, be vigilant be aware.

Always ask if you are not sure. We are here to help :)

OTHER ARTICLES OF INTEREST

META TAGS, Copyright, Spam Mail, Traffic Tips, Secure Email. SSL Certificates, New Site Checklist