Cgi Scripting - Things to consider to avoid any security loophole

Question

I have a cgi-script which will call a shell script. The shell script will execute a database query and stores the result of that query in a file on my server.

The cgi-script takes DATABASE_NAME, HOST_IP and QUERY as input and then pass it to shell script.

Now I am very much concerned about the security loopholes it will create.

One check which I am doing is that I am parsing the query to ensure that only SELECT statement are passed. If any INSERT/UPDATE type of query is passed, shell script willnot be executed.

Can you please point out some other ways in which such CGI script can be exploited, so that I will take care of them.

My server is running as userA(which have sudo permissions) and the query inside the shell script will be executed as userB(which is dbadmin user).

The command in shell script looks which executes query looks something like this:

sudo su -c "query" userB

The DATABASE_NAME and HOST_IP is also passed within query.

Answer 1

I hope that you've authenticated the user in some way and are using HTTPS to prevent man in the middle attacks or sniffing of authentication information and CGI parameters.

Be sure that you parse properly. You need to check for multi-statement queries.

Also, you may wish to consider DOS attacks, as it is very easy to write SELECT queries that will take a long time to return and use a lot of resources.

Also, whitelist the allowed host IP addresses, otherwise, I can very easily gain your username and password by having it hit my server.

Also, whitelist the allowed databases to prevent reading from system tables.