web application call executable code to serve client req

#1 (**permalink**) 12-14-2006, 05:18 AM

hi all.

Im would like to know if there is any web application security issue in
doing this.

I have this web application where the web application has a executable
file that will be executed upon clients requests through the web and
produce a output for the client.

Would there be any issues?

#2 (**permalink**) 12-14-2006, 07:04 AM

vincente13@gmail.com writes:

> hi all.
>
> Im would like to know if there is any web application security issue in
> doing this.
>
> I have this web application where the web application has a executable
> file that will be executed upon clients requests through the web and
> produce a output for the client.
>
> Would there be any issues?

There certainly could be.

You'll want to scrub the daylights out of any user-supplied
data/arguments being passed to that executable via any form to make
sure you don't allow the "execute this" web request to allow users to
run arbitrary commands on the system.

And if it's taking arguments supplied by the user, you'll also want to
make sure there aren't any buffer overflow vulnerabilities in that
application via the command line arguments.

--
Todd H.
http://www.toddh.net/

#3 (**permalink**) 12-14-2006, 07:15 AM

Todd H. wrote:
> There certainly could be.
>
> You'll want to scrub the daylights out of any user-supplied
> data/arguments being passed to that executable via any form to make
> sure you don't allow the "execute this" web request to allow users to
> run arbitrary commands on the system.
>
> And if it's taking arguments supplied by the user, you'll also want to
> make sure there aren't any buffer overflow vulnerabilities in that
> application via the command line arguments.

Would take note of that and is there any articles regarding this issues
on the Internet i can refer on?

Appreciate your advice

#4 (**permalink**) 12-14-2006, 07:54 AM

Todd H. wrote:
> Chapters 6 15 and 21 will be of most
> interest to your work.

Appreciate your help

Thank you

#5 (**permalink**) 12-14-2006, 08:42 AM

vincente13@gmail.com writes:

> Todd H. wrote:
> > There certainly could be.
> >
> > You'll want to scrub the daylights out of any user-supplied
> > data/arguments being passed to that executable via any form to make
> > sure you don't allow the "execute this" web request to allow users to
> > run arbitrary commands on the system.
> >
> > And if it's taking arguments supplied by the user, you'll also want to
> > make sure there aren't any buffer overflow vulnerabilities in that
> > application via the command line arguments.
>
> Would take note of that and is there any articles regarding this issues
> on the Internet i can refer on?

Hunt down the OWASP Project and the OWASP guide, open web application
security project.
http://www.owasp.org/index.php/Guide_Table_of_Contents

Chapters 6 15 and 21 will be of most
interest to your work.

--
Todd H.
http://www.toddh.net/

#6 (**permalink**) 12-14-2006, 02:58 PM

Isn't this a sort of vanilla cgi?

...

<vincente13@gmail.com> wrote in message
news:1166077125.906003.137340@l12g2000cwl.googlegr oups.com...
> hi all.
>
> Im would like to know if there is any web application security issue in
> doing this.
>
> I have this web application where the web application has a executable
> file that will be executed upon clients requests through the web and
> produce a output for the client.
>
> Would there be any issues?
>