Reply to post: CGI - The New Java/Flash

Bad boy builds beastly Bash bug botnet, boxen battered

thames

CGI - The New Java/Flash

I think that CGI is going to be the "new Java", or the "new Flash" in that people will now be probing CGI for new and wonderful vulnerabilities in old systems and finding them. The whole idea behind classic CGI was pretty hackish to begin with, and there are no doubt a lot of nooks and crannies to find vulnerabilities in.

I'm not convinced that this specific exploit is going to be the apocalypse that some media are making it out to be. However, trying to patch each CGI related problem as you find it would be an endless game. Using a shell like this is like giving a power drill to a 6 year old to play with and hoping he that he's careful with it.

What would be nice for those people who are still running old CGI applications and who don't want to have to re-write them would be some sort of sanitization layer between the web server and the CGI script that takes the place of the shell while providing only the minimal functionality needed by the CGI script. If that layer is very restricted in what it can do, that would limit the number of things an attacker can try to exploit. Perhaps there is already something out there that does this, because it would seem to be a pretty logical thing to have.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020