CGI protection

Be careful when using pre-written CGI scripts.



Automated, flashy, multimedia, multifunctional Web sites have become the norm. As the proliferation of high-speed connectivity for both home and business use expands, the programmatic content on Web sites will continue to grow. As an organization deploying its own Web services to clients, customers and the general public, ensuring that your Web site is safe for all is an important aspect of maintaining your reputation and profitabi...

lity.

It is often more cost effective to purchase or download a pre-written CGI script rather than design, write and test your own using in-house programmers and expertise. However, this dollar savings can often cost you significantly in the area of security.

Not all CGI scripts are created equal. In fact, there are innumerable CGI scripts floating around the digital ether that leave open back doors onto your Web server, download viruses, Trojans and worms to visiting clients, or even execute malicious code using system-level privileges. Most of the unwanted activities of CGI scripts are nearly invisible and undetectable upon execution until after the damage is done.

If you must use pre-existing CGI scripts, then you must accept the responsibility to inspect every line of code to ensure it is safe and clean from unwanted system calls. Taking the time to inspect a script line by line will require just as much -- if not more -- internal programming expertise than writing something from scratch.

One specific item to look for are system calls to execute commands at system-level privileges. In ISAPI scripts, the command RevertToSelf() is used to perform just that. DUMPBIN (a tool from the Win32 API developers toolkit) can be used to quickly search an ISAPI script for this or other commands.

The bottom line is, if you don't inspect third-party CGI scripts, there is no end to the malicious problems it could perpetrate on your Web server and your visitors.


About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.


This was first published in June 2002

Dig deeper on Web Services Security and SOA Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close