tags:

views:

1029

answers:

3
+1  Q: 

CGI programming with shell scripts

I need to pass the content of the textbox into a variable. i.e. whatever typed in the texbox of the html page needs to be pass to a variable. This is because I am calling HTML (CGI as well) inside linux shell programming. I need to manipulate that variable as I want. Do you have any idea to do it?

What I need to do is, I want to get the MAC address as an input from the user. i.e. we should have a HTML page with a text box, that user will be able to input the MAC address. therefore whatever user enters into the text box need to be passed to a variable.

Once we have the variable, this script will automatically add this MAC address into linux firewall to deny the access.

The code should be similar to the following:

!/bin/bash

echo "Content-type: text/html"

echo ""

echo ""

echo "enter the MAC address "

iptables -A INPUT -m mac --mac-source $mac_address -j DROP

service iptables save

service iptables restart

I will save this file (test.cgi) under /var/www/cgi-bin directory and I will run this script from firefox.

So the problem now I have the variable $mac_address. The CGI does not pass the textbox input into variable $mac_address.

+1  A: 

Maybe this can help? http://oinkzwurgl.org/bash_cgi

Alberto Zaccagni  2009-07-30 14:44:02
+2  A: 

First, read the CGI primer.

You will need an HTML page with code like this:

<form method="get" action="/cgi-bin/my-fw-script.sh">
    <p>Gimme an IP address: <input name="addr"></p>
    <input type="submit">Block IP</input>
</form>

When the user clicks the form's Submit button, your Bash CGI program will be run. (/path/to/cgi-bin/my-fw-script.sh in the above example.) The text input will be in the QUERY_STRING environment variable, in the form variable=value. For simple inputs, you could just call the Bash function eval to turn this into a Bash variable:

#!/bin/sh
eval $QUERY_STRING
echo You asked me to block $addr.

This will only work for a single input field, and will break if there are spaces or other special characters. I imagine the bash_cgi thing someone else recommended will take care of these details for you. Do it like the above example only if this program will stay very simple.

By the way, you almost certainly don't want to be adding MAC addresses to the firewall. That only works for hosts that are on the same LAN as the firewalled box. Packets coming from another LAN, the Internet, etc. will have the MAC address of the LAN's gateway. You should probably be blocking hosts by IP address instead.

Warren Young  2009-07-30 15:00:53
thanks for your mail. but the problem is i have to take more than one input from the user (like two devices at a time). how can i adopt this scirpt?these devices are going to be in single VLAN. therefore no problem with routing functions.
 2009-07-30 15:30:07
See http://hoohoo.ncsa.illinois.edu/cgi/security.html "Beware the eval statement"
Sinan Ünür  2009-07-30 15:45:50
Regarding the dangers of eval: yes, I know. I assume this script is going to be well-protected, since it's a ripe DoS attack all by itself. It certainly better not be something just anyone can access. And yes, defense in depth is a good idea, too.Regarding the need for multiple inputs: I looked at the Bash.CGI thing recommended by Montecristo, and it addresses this. It does use eval, though.
Warren Young  2009-07-30 16:40:46
@Warren Young based on the tone of the post, I am willing to bet that the OP is not aware of the threat.
Sinan Ünür  2009-07-30 17:06:46
+1  A: 

The real answer to this question is don't.

Your web server seems to be running with root privileges. That is the first no-no.

Do you really want to allow the whole wide world to be able to tinker with your firewall configuration? You have no control over how your shell script gets invoked, what gets passed to it. You are opening major security holes.

See the WWW Security FAQ on CGI scripts and Writing secure CGI scripts as well as CGI Security : Better Safe than Sorry.

Sinan Ünür  2009-07-30 15:38:50
While you may be right, this is not an answer to the question. It coud be part of an answer, but here the topic is doing cgi with shell script.
shodanex  2009-09-10 09:54:10

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security