Automated, flashy, multimedia, multifunctional Web sites have become the norm. As the proliferation of high-speed connectivity for both home and business use expands, the programmatic content on Web sites will continue to grow. As an organization deploying its own Web services to clients, customers and the general public, ensuring that your Web site is safe for all is an important aspect of maintaining your reputation and profitability.
It is often more cost effective to purchase or download a pre-written CGI script rather than design, write and test your own using in-house programmers and expertise. However, this dollar savings can often cost you significantly in the area of security.
Not all CGI scripts are created equal. In fact, there are innumerable CGI scripts floating around the digital ether that leave open back doors onto your Web server, download viruses, Trojans and worms to visiting clients, or even execute malicious code using system-level privileges. Most of the unwanted activities of CGI scripts are nearly invisible and undetectable upon execution until after the damage is done.
If you must use pre-existing CGI scripts, then you must accept the responsibility to inspect every line of code to ensure it is safe and clean from unwanted system calls. Taking the time to inspect a script line by line will require just as much -- if not more -- internal programming expertise than writing something from scratch.
The bottom line is, if you don't inspect third-party CGI scripts, there is no end to the malicious problems it could perpetrate on your Web server and your visitors.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in June 2002