Those were the most obvious examples of a CGI vulnerabilities. A lot of other possibilites exist for an attacker, weather it may be a simple directory traversal, command execution to obtaining the proper permissions or privileges to manipulate with the web server.
If you're planning on creating some CGI's of your own, bear in mind these few things: in perl and bash scripts, don't use the 'eval' statement used for creating strings which will be executed, be careful with popen() and system() calls, and turn off the server side includes. Also, don't leave any means for a client to manipulate with input of your scripts, don't rely on the fact that it will escape any special characters for they will be used by an attacker. It would be smart to check the 'suexec' documentation, for apache web server and use it on your server.
If you're interested in tools publicly available for checking CGI vulnerabilities, read on...
And cats have...whiskers!
A great and effective CGI scanner is Rain Forrest Puppy's Whisker. You can obtain Whisker here.. Download it and use it. It's a perl script, so you have nothing left to do but run it, so:
perl whisker.pl -i -v -h hostname -l filename
and the filename you provided should resemble something like this. Mind you, these whiskers can smell a lot of things, and if you invoke it without any switches and addresses, ie perl whisker.pl you will get a full list of options. As you can see from the output, it's pretty much clear situation. Of course, output may vary, from host to host, accordingly. So, try it, and see for yourself.
By using a cgi scanner you can safely find out by yourself for any insecure CGI's on your system. And, surely you want to do that, you don't want to leave anybody any options for manipulating with your system. You can use any other CGI scanner, it should work just fine. Most of them have plugins of some kind to keep them up-to-date with vulnerabilities.
And thus cameth the conclusion
CGI vulnerabilities exist, and new ones are being found on a daily basis. And, of course, they will be exploited for this or that purpose. Unfortunately, if you have to use them, you can only hope that a patch exists or will be soon put out. Alternative, if you're into programming, you can try to fix them yourself.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.