Writing

Feed Software, technology, sysadmin war stories, and more.

Wednesday, March 13, 2013

One-shot CGI example with client IP address display

Here's another small exercise for anyone who wants to dip a toe into the waters of doing CGI with C or C++. This particular example will compile either way since I haven't done anything special to restrict it, like using classes, or naming variables after certain C++ reserved words.

All I'm doing here is pulling a variable from the process environment to see who might be connected. REMOTE_ADDR is set by Apache when you wake up as a CGI. It's important to notice that this can fail, particularly when running it standalone (from the shell).

I also did a HTTP request to it over IPv6 just because I could. The program doesn't really care either way, but it does provide a warning for the future: REMOTE_ADDR might not always be a dotted quad. You can and will get IPv6 addresses with hex characters and colon separators if someone hits you that way. They might even do it on purpose to see if they can break you.

Recording #1: fetch and display REMOTE_ADDR to visitor if possible.

...

Aside: I wonder how long it will be until someone discovers an exploit where they put some x86 bytecode in their IPv6 address and use it to break into a program which really isn't expecting anything longer than "xxx.xxx.xxx.xxx" in that field. Smashing the stack v6?