View previous topic :: View next topic |
Author |
Message |
Spud2004 -
Joined: 12 Sep 2004 Posts: 30
|
Posted: Mon Sep 12, 2022 4:03 am Post subject: /cgi-bin/protected and /cgi-bin |
|
|
Protected: /cgi-bin/protect in access control deny/allow
Unprotect: /cgi-bin nothing in access control
Is this the correct way to have a protected and unprotected cgi-bin folder?
This code allows displaying SQL recordsets or downloading files into a string from a protected page.
It allows secure user/password protected returning of data from cgi programs!
PowerBASIC source code:
Code: |
#DIM ALL
#INCLUDE "httprequest.inc"
FUNCTION PBMAIN()
LOCAL sURL,sUserName,sPassword,sDataReturned,sStatus AS STRING
sURL = "https://yoursite.com/cgi-bin/myprogram.exe?select * from parts"
sUserName = "me"
sPassword = "me"
sStatus = DownloadTest(sURL,sUserName,sPassword,sDataReturned)
IF sStatus = "OK" THEN
? USING$("Downloaded #, bytes",LEN(sDataReturned)),,sStatus
? sDataReturned
ELSE
? sStatus,%MB_ICONERROR OR %MB_SYSTEMMODAL,"Download failed"
END IF
END FUNCTION
FUNCTION DownloadTest(sURL AS STRING,_
sUserName AS STRING,_
sPassword AS STRING,_
sDataReturned AS STRING) AS STRING
RESET sDataReturned
DIM pHttpReq AS IWinHttpRequest
pHttpReq = NEWCOM "WinHttp.WinHttpRequest.5.1"
IF ISNOTHING(pHttpReq) THEN
? "WinHttpRequest.5.1 failure",%MB_ICONERROR OR %MB_SYSTEMMODAL,FUNCNAME$
EXIT FUNCTION
END IF
pHttpReq.Open "GET", sURL, 0
pHttpReq.SetCredentials sUserName, sPassword, %HTTPREQUEST_SETCREDENTIALS_FOR_SERVER
pHttpReq.Send
IF pHttpReq.StatusText <> "OK" THEN
IF pHttpReq.StatusText = "" THEN
FUNCTION = "No send response"
ELSE
FUNCTION = pHttpReq.StatusText
END IF
ELSE 'success
sDataReturned = pHttpReq.ResponseText
FUNCTION = pHttpReq.StatusText
END IF
pHttpReq = NOTHING
END FUNCTION |
|
|
Back to top |
|
|
Horizon -
Joined: 18 Feb 2022 Posts: 54
|
Posted: Mon Sep 12, 2022 1:14 pm Post subject: |
|
|
Hello,
the exact explanation for the Allow/Deny ordering is:
Quote: | Order: The order that the server follows to check if access is granted to a
client based on its IP address. If it is set to Allow/Deny, access is denied by
default and is allowed only if the IP address is in the Allow for list and is
not in the Deny for list. If it is set to Deny/Allow, access is allowed by
default and is denied only if the IP address is in the Deny for list and is not
in the Allow for list. |
So what you want is to allow /cgi-bin but not to a protected directory inside of it.
Then you will need to use Deny/Allow.
That means you can access anything within /cgi-bin unless it's in the Deny list.
This way you put /cgi-bin in Allow and /cgi-bin/protect in Deny.
However your CGI PowerBasic code looks risky to me.
You use a literal arbitrary string that gets executed as a command against your database.
This could enable malicious links with intentionally malformed queries to corrupt your DB.
You want to let users download a specific recordset, so you you should 'shim' a new API and hide the SQL queries behind it:
Hardcode a list of keywords in a conditional table such as a Select statement.
Then if the keyword is like:
https://your-website/cgi-bin/get-records-set.exe?id=parts
Then you manually yourself run the appropriate query statement against your database.
This way you don't give any chance for attackers to give trick query strings to your server.
So I mean that you need not to execute anything the visitor gives you even if authenticated.
For downloading big files, you might want to create a restricted directory then implement X-Sendfile.
Basically you create a restricted folder to put downloadable files inside, and you deny remote access to it.
When authorized users want to download, in your CGI program you will be able to simply return the X-Sendfile header with the literal real path to the requested file.
Then Abyss itself will terminate the CGI script and start returning the file to the visitor.
You can do any checks you want first, then start returning X-Sendfile heades only when authorized.
Abyss only takes over the CGI session when it intercepts this header while X-Sendfile support is enabled.
For big files, it's worth thinking about it I think. |
|
Back to top |
|
|
Spud2004 -
Joined: 12 Sep 2004 Posts: 30
|
Posted: Mon Sep 12, 2022 2:59 pm Post subject: |
|
|
1) /cgi-bin/protected is correct. Great.
2) Return headers to let Abyss do the download will be implemented.
Is referencing keywords to only allow certain SQL actions have a name?
I can do it, but would like to do it the correct proven way.
I have decided to not allow any remote SQL statement access.
Many topics at this link:
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
... |
|
Back to top |
|
|
Horizon -
Joined: 18 Feb 2022 Posts: 54
|
Posted: Mon Sep 12, 2022 5:03 pm Post subject: |
|
|
The name of the method I mentioned is 'Allow-list Input Validation'.
Perhaps my mentioned method isn't correct if you hardcode the list of allowed keywords in every check of your code.
You will probably then want to use a general include file where you define a constant Array of keywords and their corresponding SQL statements.
Like this:
- Item 1:
[0][0]: "parts" | [0][1]: " select * from parts;"
- Item 2:
[1][0]: "payments" | [1][1]: "select * from payments;"
This way you still only allow trusted keywords but you just have to maintain the allowed keywords in one place instead of many places across your program code.
You could do something like:
Code: | Const Array ALLOWED_QUERIES = [ ["parts", "select * from parts;"], ["payments", "select * from payments;"] ] |
Then you can simply try to find the visitor's keyword in the Array, and if not found you can deny processing it.
The link you shared is also a nice one, I will keep reading it. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|