Most Internet servers sit behind firewalls and use detection scripts to send alerts when break?ins are attempted. Some system administrators even run software to detect portscanners and denial?of?service attempts. However, many system administrators still overlook security problems in CGI scripts and web applications.

As demonstrated by recent security alerts, improperly written CGI scripts and web applications can let crackers read system files, obtain passwords, crash the server or worse. A system may be firewalled and hardened against remote logins, FTP access and denial of service attacks, yet have many well?known holes in the server’s web applications and CGI scripts.

Trapping 404 errors:
One method we have used to detect CGI script abuse is to redirect all “404 Not Found” responses from the web server to a script that examines the request for suspicious activity. Both Apache and iPlanet / Netscape web servers allow customized error messages. Either custom HTML files can be output or scripts can be executed in response to any of the standard HTTP request errors. Since a properly secured web server will not contain any of the well?known CGI vulnerabilities, any attempt by an outside to look for them results in a 404 Not Found response.

Apache comes with an example script “phf_abuse_log.cgi” you can use to log attempt to access phf. This concept can be expanded to look for any suspicious URL request (such any request containing “/etc/passwd” on a unix server) each time a 404 error is raised in the CGI?BIN directory. Instead of simply writing the activity to a file, it would be better to immediately e?mail the system administrator or trigger the server’s monitoring software.

Download pdf Detecting CGI Script Abuse