As pointed out in this blog entry and verified in Microsoft's knowledge base, Microsoft is giving out some pretty dangerous security advice on how to set up Python CGI. Basically, the IIS mapping the recommend for Python CGI is "C:\Python20\python.exe %s %s". The problem, as noted in the blog:
Unfortunately this is not just wrong, but possibly dangerous. The first problem is that it'll break if a CGI script's filename has a space in it, because everything after the space becomes parameters to the script. Secondly, if the script name starts with a hyphen, it become a flag to the Python interpreter. And there are some dangerous flagsââ¬âfor example -c allows you to execute any Python code.
If the ââ¬Ëcheck file existsââ¬â¢ option is turned on, this is only an annoyance in that you can't use script names with these characters in. However if turned off an attacker would be able to abuse these holes without you having to provide a script with a weird name.
The solution is to put the ââ¬Ë%sââ¬â¢s in quotes, and ensure that the ââ¬Ëcheck file existsââ¬â¢ option is always on.
Oh, wait! Naturally, I had to do some digging. Looks like they have similarly bogus advice for Perl. Curiously, the latter link shows up as a blank page in my Firefox but renders just fine in IE.
Weird. Only the top of the page renders for me in Firefox. Thank goodness for the IE tab extension.
I also liked that they consistently capitalized PERL. Obviously they know about the Inline::PERL module.
