Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-2272 | WG460 | SV-2272r4_rule | ECSC-1 | Medium |
Description |
---|
PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message. It is vital that if PERL is being used, the following line appear in the first line of PERL scripts: #!/usr/local/bin/perl –T |
STIG | Date |
---|---|
Web Server STIG | 2010-10-07 |
Check Text ( C-29983r1_chk ) |
---|
CGI scripts running on non-UNIX servers typically do not recognize #!/usr/local/bin/perl on the first line of the script. Instead, the web server must be configured to use the TAINT option. For IIS, PERL scripts should run with “taint mode on”. This can be accomplished by creating a second extension under Windows such as .tcgi or .tgi and associate the new extension with the TAINT mode. Then, rename the scripts using the new extension to activate the TAINT mode. For example: .tcgi ? C:\perl\bin\perl.exe -T %s %s If the server is using PERL and scripts do not include a call to the TAINT option, this is a finding. NOTE: This only applies to PERL scripts that are used by the web server. NOTE: Excepting IIS, if the mod_perl module is installed and the directive “PerlTaintCheck on” in the httpd.conf is used, this satisfies the requirement. |
Fix Text (F-26840r1_fix) |
---|
PERL scripts will include a call to the TAINT option. |