Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web
           9  ActiveX

Previous Topic/Section  Signed Applets
Previous Page
Pages in Current Topic/Section
Next Page  SMTP Relay
Next Topic/Section  CGI

CGI stands for “Common Gateway Interface”, and it amounts to a way of executing an external program or “script” by sending to the web server a URL request containing the name of the program to execute, and optionally some data for it. The server then runs the program or script, and sends the output (if any) back to the client, providing dynamic content, in contrast to the “static”, fixed page images displayed when “.html” pages are retrieved. For example, there are CGI programs to display web counters, maintain web site guest books, add entries to web “blogs”, display the time using pictures of the relevant numbers, etc.

An example of a URL that invokes a CGI script with no data passed to it, would be . As you can see, it is similar to a traditional “static” URL referencing an HTML page, except that the final path element doesn’t include a “.htm” or “.html” suffix. When you need to send data to the script, the URL gets a bit more complex. An example of a URL that invokes a CGI script, passing data for the script, would be As you can see, it’s composed of the name of the CGI script, followed by a “?” that tells the web server when the data starts, then pairs of the form “dataitem=value”, separated by “&”.

The primary security issue with CGI scripts is that it’s very difficult to get them right.

Most system administrators of large UNIX sites can tell at least one horror story about some way a user found to make a UNIX shell script running with root permissions, do something other than what it was originally intended, like perhaps copy any file on the system, regardless of file access permissions set on it. CGI scripts219 are vulnerable to the same sorts of misdirection issues that affect UNIX shellscripts, and should be written carefully.

For further information on how to write more secure CGI scripts, see the WWW Security FAQ220.




Previous Topic/Section  Signed Applets
Previous Page
Pages in Current Topic/Section
Next Page  SMTP Relay
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.