by Joe Lima
Feedback
|
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days):
54507/
101
|
|
|
|
| Unsanitary Inputs |
Many platform-specific exploits use complex URL strings to gain access to a shell or CGI program, from which a hacker can easily get a directory listing revealing the OS’ default file structure. Once a shell or CGI program is hijacked and the file system revealed, the door is wide open. The best defense against this trial-and-error exploit is a user-input filter or "sanitizer" that removes unacceptable characters (such as meta-characters and their various possible encodings) from user-supplied data. For IIS, the current standard is IISLockDown/URLScan. A new generation of application firewalls extend this protection to the application layer behind the Web server. In the Apache world, user input sanitizing is traditionally the responsibility of CGI authors. Here is the classic CERT article on the topic, with examples in Perl and C. If you are setting up a new box, consider changing the default file structure as well. Input sanitizing and rearranged file structures do double duty -- helping to disguise the box and neutralize common exploits simultaneously. |
|
|
|
User Comments
No comments posted yet.
|
Product Spotlight
|
|
|
