PERL scripts must use the TAINT option.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2272	WG460 IIS6	SV-38114r1_rule	ECSC-1	Medium

Description
PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.

Description

PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.

STIG	Date
IIS6 Site	2014-12-10

Details

Check Text ( C-37487r1_chk )
1. Query the Web Admin for the PERL file extension/s on the system. 2. Search the system for PERL files (normally ending in .pl). 3. For those PERL files found within the web site/server content directories open them with Notepad and ensure the first line of the script is as follows: #!/usr/local/bin/perl –T. 4. If the above line is not found verify the application settings for the directory containing the PERL script/s. 5. Right click on the directory > Select properties > Select the Home Directory, Directory, or Virtual Directory tab. 6. Under the Application settings area, select the Configuration button. 7. Browse the Application extensions for the PERL file extension (normally .pl). 8. Verify the executable path for the PERL file extension lists Perl.exe –T. If #!/usr/local/bin/perl –T is not the first line of the PERL script, or the executable path does not list Perl.exe –T, this is a finding. NOTE: This applies to PERL scripts used as part of the web server and not all PERL scripts on the system. NOTE: If the TAINT option cannot be used for any reason, this finding can be mitigated by the use of a third-party input validation mechanism or input validation will be included as part of the script in use. This must be documented.

Check Text ( C-37487r1_chk )

1. Query the Web Admin for the PERL file extension/s on the system.
2. Search the system for PERL files (normally ending in .pl).
3. For those PERL files found within the web site/server content directories open them with Notepad and ensure the first line of the script is as follows: #!/usr/local/bin/perl –T.
4. If the above line is not found verify the application settings for the directory containing the PERL script/s.
5. Right click on the directory > Select properties > Select the Home Directory, Directory, or Virtual Directory tab.
6. Under the Application settings area, select the Configuration button.
7. Browse the Application extensions for the PERL file extension (normally .pl).
8. Verify the executable path for the PERL file extension lists Perl.exe –T.

If #!/usr/local/bin/perl –T is not the first line of the PERL script, or the executable path does not list Perl.exe –T, this is a finding.

NOTE: This applies to PERL scripts used as part of the web server and not all PERL scripts on the system.
NOTE: If the TAINT option cannot be used for any reason, this finding can be mitigated by the use of a third-party input validation mechanism or input validation will be included as part of the script in use. This must be documented.

Fix Text (F-32735r1_fix)
Adjust the PERL scripts to include the appropriate comments enabling the TAINT option.