Re: Cgi with GD grap, and displaying graphs

On 8/29/06, Patrick Rice <patrick.j.rice@xxxxxxxxx> wrote:

When I do this, I get a 500 internal error and I've traced this down to
a permissions problem, as the apache user doesn't have the permissions
to write the pic's in the /var/www/html file.

Which is as it should be, I would imagine.

For security purposes, I generally see three categories of files the
webserver can access:

* servable files - like web pages and images (serve, never run, never write)
* programs - executable code (run, never serve, never write)
* data files - (read and write, never serve, never run)

If you keep these organized by directories, the server has an easy
time enforcing the security rules. If it's somebody else's webserver,
they probably use roughly the same security categories.

Even though the server won't directly serve the data files, you can
easily make a CGI program that does little more than read and output
the requested file. The PATH_INFO can be quite useful here, but use
caution not to trust it without checking, because it's supplied by the
user. But this URL could lead your program to serve the data file
found in (some directory) maps/portugal/2006.png :

http://www.example.com/cgi-bin/virtual.pl/maps/portugal/2006.png

That CGI program is not the only solution. You could add a fourth
category, for example:

* servable data files - (read, write, or serve, never run)

You could use Apache's Alias directive to set this up, something like this:

Alias /servdata /home/fred/webdata

Now, when the server gets a request like this:

http://www.example.com/servdata/maps/portugal/2006.png

It knows which file to serve:

/home/fred/webdata/maps/portugal/2006.png

If you choose this route, there are some additional security issues.
For example, if it were my Apache webserver, I'd configure it to
ignore (or at least restrict) any .htaccess files found in the
server-writable directories. And I'd probably not allow browsing in
these directories, either.

But I'd probably choose the CGI program, since it's simple to secure
and not likely to be a significant amount of overhead.

Hope this helps!

--Tom Phoenix
Stonehenge Perl Training
.

Relevant Pages

  • [Full-Disclosure] openssl exploit code
    ... interested in or require timely security information. ... Whos interests are you serving with the private code? ... We are talking about your intellectual property here. ... but also protecting the list so that it can continue to serve a purpose. ...
    (Full-Disclosure)
  • Re: Combo Box as Filter???
    ... I'll just give you the standard warning then that any "home-grown" security like ... circumvent a logon system like this in a few seconds. ... "guide clerks" it might serve your purposes, but don't go this route if you need ... on a server-based system like SQL Server which has proper security. ...
    (microsoft.public.access.forms)
  • Re: Price gouging?
    ... >> In a time of war when your country's security is threatened, ... >> people serve their country) is absurd even under those conditions. ...
    (comp.sys.mac.advocacy)
  • Re: Rename root
    ... > I thought it would serve to more security in my system... ... quickly find out which users have UID 0. ... Fedora GNU/Linux Core 1 on Athlon CPU kernel 2.4.22-1.2149.nptl ...
    (Fedora)
  • Re: Protected .nfo file
    ... The security of software-implemented DRM is zero, ... The security of hardware-implemented DRM isn't better either. ... From the fact that this CGI program has been written in Haskell, ...
    (alt.computer.security)