CGI stands for Common Gateway Interface, and it amounts to a way of executing an external program or script by sending to the web server a URL request containing the name of the program to execute, and optionally some data for it. The server then runs the program or script, and sends the output (if any) back to the client, providing dynamic content, in contrast to the static, fixed page images displayed when .html pages are retrieved. For example, there are CGI programs to display web counters, maintain web site guest books, add entries to web blogs, display the time using pictures of the relevant numbers, etc.
An example of a URL that invokes a CGI script with no data passed to it, would be http://www.internic.net/cgi-bin/whois . As you can see, it is similar to a traditional static URL referencing an HTML page, except that the final path element doesnt include a .htm or .html suffix. When you need to send data to the script, the URL gets a bit more complex. An example of a URL that invokes a CGI script, passing data for the script, would be http://www.internic.net/cgi-bin/whois?whois_nic= helenworld.com&type=domain. As you can see, its composed of the name of the CGI script, followed by a ? that tells the web server when the data starts, then pairs of the form dataitem=value, separated by &.
The primary security issue with CGI scripts is that its very difficult to get them right.
Most system administrators of large UNIX sites can tell at least one horror story about some way a user found to make a UNIX shell script running with root permissions, do something other than what it was originally intended, like perhaps copy any file on the system, regardless of file access permissions set on it. CGI scripts219 are vulnerable to the same sorts of misdirection issues that affect UNIX shellscripts, and should be written carefully.
For further information on how to write more secure CGI scripts, see the WWW Security FAQ220.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.