Tip

CGI protection



Automated, flashy, multimedia, multifunctional Web sites have become the norm. As the proliferation of high-speed connectivity for both home and business use expands, the programmatic content on Web sites will continue to grow. As an organization deploying its own Web services to clients, customers and the general public, ensuring that your Web site is safe for all is an important aspect of maintaining your reputation and profitability.

It is often more cost effective to purchase or download a pre-written CGI script rather than design, write and test your own using in-house programmers and expertise. However, this dollar savings can often cost you significantly in the area of security.

Not all CGI scripts are created equal. In fact, there are innumerable CGI scripts floating around the digital ether that leave open back doors onto your Web server, download viruses, Trojans and worms to visiting clients, or even execute malicious code using system-level privileges. Most of the unwanted activities of CGI scripts are nearly invisible and undetectable upon execution until after the damage is done.

If you must use pre-existing CGI scripts, then you must accept the responsibility to inspect every line of code to ensure it is safe and clean from unwanted system calls. Taking the time to inspect a script line by line will require just as much -- if not more -- internal programming expertise than writing something from scratch.

One specific

    Requires Free Membership to View

item to look for are system calls to execute commands at system-level privileges. In ISAPI scripts, the command RevertToSelf() is used to perform just that. DUMPBIN (a tool from the Win32 API developers toolkit) can be used to quickly search an ISAPI script for this or other commands.

The bottom line is, if you don't inspect third-party CGI scripts, there is no end to the malicious problems it could perpetrate on your Web server and your visitors.


About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.


This was first published in June 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.