/cgi-bin/protected and /cgi-bin

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
Spud2004
-


Joined: 12 Sep 2004
Posts: 29

PostPosted: Mon Sep 12, 2022 4:03 am    Post subject: /cgi-bin/protected and /cgi-bin Reply with quote

Protected: /cgi-bin/protect in access control deny/allow
Unprotect: /cgi-bin nothing in access control
Is this the correct way to have a protected and unprotected cgi-bin folder?

This code allows displaying SQL recordsets or downloading files into a string from a protected page.
It allows secure user/password protected returning of data from cgi programs!
PowerBASIC source code:
Code:

#DIM ALL
#INCLUDE "httprequest.inc"

FUNCTION PBMAIN()
 LOCAL sURL,sUserName,sPassword,sDataReturned,sStatus AS STRING
 sURL      = "https://yoursite.com/cgi-bin/myprogram.exe?select * from parts"
 sUserName = "me"
 sPassword = "me"
 sStatus = DownloadTest(sURL,sUserName,sPassword,sDataReturned)
 IF sStatus = "OK" THEN
   ? USING$("Downloaded #, bytes",LEN(sDataReturned)),,sStatus
   ? sDataReturned
 ELSE
   ? sStatus,%MB_ICONERROR OR %MB_SYSTEMMODAL,"Download failed"
 END IF
END FUNCTION

FUNCTION DownloadTest(sURL   AS STRING,_
              sUserName      AS STRING,_
              sPassword      AS STRING,_
              sDataReturned  AS STRING) AS STRING
 RESET sDataReturned
 DIM pHttpReq AS IWinHttpRequest
 pHttpReq = NEWCOM "WinHttp.WinHttpRequest.5.1"
 IF ISNOTHING(pHttpReq) THEN
  ? "WinHttpRequest.5.1 failure",%MB_ICONERROR OR %MB_SYSTEMMODAL,FUNCNAME$
  EXIT FUNCTION
 END IF
 pHttpReq.Open "GET", sURL, 0
 pHttpReq.SetCredentials sUserName, sPassword, %HTTPREQUEST_SETCREDENTIALS_FOR_SERVER
 pHttpReq.Send
 IF pHttpReq.StatusText <> "OK" THEN
  IF pHttpReq.StatusText = "" THEN
    FUNCTION = "No send response"
  ELSE
    FUNCTION = pHttpReq.StatusText
  END IF
 ELSE  'success
  sDataReturned = pHttpReq.ResponseText
  FUNCTION = pHttpReq.StatusText
 END IF
 pHttpReq = NOTHING
END FUNCTION
Back to top View user's profile Send private message
Horizon
-


Joined: 18 Feb 2022
Posts: 54

PostPosted: Mon Sep 12, 2022 1:14 pm    Post subject: Reply with quote

Hello,
the exact explanation for the Allow/Deny ordering is:
Quote:
Order: The order that the server follows to check if access is granted to a
client based on its IP address. If it is set to Allow/Deny, access is denied by
default and is allowed only if the IP address is in the Allow for list and is
not in the Deny for list. If it is set to Deny/Allow, access is allowed by
default and is denied only if the IP address is in the Deny for list and is not
in the Allow for list.

So what you want is to allow /cgi-bin but not to a protected directory inside of it.

Then you will need to use Deny/Allow.
That means you can access anything within /cgi-bin unless it's in the Deny list.

This way you put /cgi-bin in Allow and /cgi-bin/protect in Deny.

However your CGI PowerBasic code looks risky to me.
You use a literal arbitrary string that gets executed as a command against your database.

This could enable malicious links with intentionally malformed queries to corrupt your DB.

You want to let users download a specific recordset, so you you should 'shim' a new API and hide the SQL queries behind it:

Hardcode a list of keywords in a conditional table such as a Select statement.

Then if the keyword is like:
https://your-website/cgi-bin/get-records-set.exe?id=parts

Then you manually yourself run the appropriate query statement against your database.

This way you don't give any chance for attackers to give trick query strings to your server.

So I mean that you need not to execute anything the visitor gives you even if authenticated.

For downloading big files, you might want to create a restricted directory then implement X-Sendfile.

Basically you create a restricted folder to put downloadable files inside, and you deny remote access to it.

When authorized users want to download, in your CGI program you will be able to simply return the X-Sendfile header with the literal real path to the requested file.

Then Abyss itself will terminate the CGI script and start returning the file to the visitor.

You can do any checks you want first, then start returning X-Sendfile heades only when authorized.

Abyss only takes over the CGI session when it intercepts this header while X-Sendfile support is enabled.

For big files, it's worth thinking about it I think.
Back to top View user's profile Send private message
Spud2004
-


Joined: 12 Sep 2004
Posts: 29

PostPosted: Mon Sep 12, 2022 2:59 pm    Post subject: Reply with quote

1) /cgi-bin/protected is correct. Great.
2) Return headers to let Abyss do the download will be implemented.

Is referencing keywords to only allow certain SQL actions have a name?
I can do it, but would like to do it the correct proven way.

I have decided to not allow any remote SQL statement access.

Many topics at this link:
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html


...
Back to top View user's profile Send private message
Horizon
-


Joined: 18 Feb 2022
Posts: 54

PostPosted: Mon Sep 12, 2022 5:03 pm    Post subject: Reply with quote

The name of the method I mentioned is 'Allow-list Input Validation'.

Perhaps my mentioned method isn't correct if you hardcode the list of allowed keywords in every check of your code.

You will probably then want to use a general include file where you define a constant Array of keywords and their corresponding SQL statements.

Like this:

- Item 1:
[0][0]: "parts" | [0][1]: " select * from parts;"

- Item 2:
[1][0]: "payments" | [1][1]: "select * from payments;"

This way you still only allow trusted keywords but you just have to maintain the allowed keywords in one place instead of many places across your program code.

You could do something like:
Code:
Const Array ALLOWED_QUERIES = [ ["parts", "select * from parts;"], ["payments", "select * from payments;"] ]

Then you can simply try to find the visitor's keyword in the Array, and if not found you can deny processing it.

The link you shared is also a nice one, I will keep reading it.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group