From APACHE 2.2 Site for UNIX Security Technical Implementation Guide
Part of WG460
PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation.
When a PERL script is invoked for execution on a UNIX server, the method which invokes the script must utilize the TAINT option. The server’s interpreter examines the first line of the script. Typically, the first line of the script contains a reference to the script’s language and processing options. The first line of a PERL script will be as follows: #!/usr/local/bin/perl –T The –T at the end of the line referenced above, tells the UNIX server to execute a PERL script using the TAINT option. Perform the following steps: 1) grep perl httpd.conf |grep -v '#' You should also check /apache/sysconfig.d/loadmodule.conf for PERL. NOTE: The name of the loadmodule.conf may vary by installation. If Apache doesn't have the mod_perl module loaded and it doesn't use PERL, this check is Not Applicable. 2) grep -i 'PerlTaintCheck' httpd.conf If 'PerlTaintCheck on' is set, this is not a finding, and the check can stop here. NOTE: If the PerlTaintCheck is a part of an included config file, this meets the requirement. 3) Check each individual PERL script. From the ServerRoot directory: find . -name '*.pl' From the DocumentRoot directory: find . -name '*.pl' Examine the beginning of every PERL script for the -T option. If the -T option is not specified in any PERL script, this is a finding. NOTE: This only applies to PERL scripts that are used by the web server. NOTE: If the mod_perl module is installed and the directive “PerlTaintCheck on” in the httpd.conf is used, this satisfies the requirement.
Add the TAINT call to the PERL script. #!/usr/local/bin/perl –T
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer