Writing secure CGI scripts Writing secure CGI scriptsWith that in mind, we would like to present a few guidelines to making sure your program does not come under attack.
Languages like PERL and the Bourne shell provide an eval command which allow you to construct a string and have the interpreter execute that string. This can be very dangerous. Observe the following statement in the Bourne shell:
eval `echo $QUERY_STRING | awk 'BEGIN{RS="&"} {printf
"QS_%s\n",$1}' `
This clever little snippet takes the query string, and convents it into a set of variable set commands. Unfortunately, this script can be attacked by sending it a query string which starts with a ;. See what I mean about innocent-looking scripts being dangerous?
A well-behaved client will escape any characters which have special meaning to the Bourne shell in a query string and thus avoid problems with your script misinterpreting the characters. A mischevious client may use special characters to confuse your script and gain unauthorized access.
If you use any data from the client to construct a command line for a call to popen() or system(), be sure to place backslashes before any characters that have special meaning to the Bourne shell before calling the function. This can be achieved easily with a short C function.
If your server is unfortunate enough to support server-side includes, turn them off for your script directories!!!. The server-side includes can be abused by clients which prey on scripts which directly output things they have been sent.
For a more comprehensive summary of security and the World-Wide Web, see the WWW Security FAQ.
![[Back]](back.gif)
Return to the overview CGI - Common Gateway Interface
cgi@ncsa.uiuc.edu