Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

CGI Security

CGI is a very flexible and powerful protocol, and it scales much more that most WEB developers assume.  CGI may be not that fancy technology, but it's simple and you can do almost anything it it.

The most common tool for writing CGI scripts is Perl, therefore most CGI scripts you can find on the WEB are written in this language.

Essentially, all web applications do pretty much the same things:

1. Provide a Query Interface - Web Applications provide users with an interface for entering data. The data they enter is usually called a "query" or a "request" because the user-defined data is used to dynamically query or make a request from some service on the web server machine (searching a database, ordering a book, requesting a file).
2. Transmit User-Defined Query - Once collected, the user-data is sent to a web server
3. Perform Server Side Processing - The web server processes the user-data using some sort of "middleware".
4. Massage Data - Processing almost always involves playing with data on the server. The user-defined request specifies how the data should be played with.
5. Transmit Query Results - The processed data is now returned to the client.
6. Perform Client Side Processing - Finally, the returned data is displayed to the user. Display might be as simple as interpreting HTML, or as complex as performing calculations, sorting, or other manipulations of the data.

Notes: Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected. This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books. The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link. Search Amazon by keywords:     Open directory Research Index

News

Recommended Links

The problem with /usr/ucb/mail shell escapes is going stay with us for quite a while: I have found that many web sites run CGI helper scripts that send data from the network into /usr/ucb/mail, without censoring of, for example, newline characters embedded in the data.

• WWW Security FAQ CGI Scripts

• WWW Security FAQ Safe Scripting in Perl

• WEBsmith Issue 2 CGI Security

• CGI Security

• Server Side Includes and CGI Security

• The Common Gateway Interface Security

Reference

CGI scripts have access to 20 or so environment variables, such as QUERY_STRING and CONTENT_LENGTH mentioned on the main page. Here's the complete list at NCSA.

REQUEST_METHOD

The HTTP method this script was called with. Generally "GET", "POST", or "HEAD".

HTTP_REFERER

The URL of the form that was submitted. This isn't always set, so don't rely on it. Don't go invading people's privacy with it, neither.

PATH_INFO

Extra "path" information. It's possible to pass extra info to your script in the URL, after the filename of the CGI script. For example, calling the URL

http://www.myhost.com/mypath/myscript.cgi/path/info/here

will set PATH_INFO to "/path/info/here". Commonly used for path-like data, but you can use it for anything.

SERVER_NAME

Your Web server's hostname or IP address (at least for this request).

SERVER_PORT

Your Web server's port (at least for this request).

SCRIPT_NAME

The path part of the URL that points to the script being executed. It should include the leading slash, but certain older Web servers leave the slash out. You can guarantee the leading slash with this line of Perl:
$ENV{'SCRIPT_NAME'}=~ s#^/?#/# ;

So the URL of the script that's being executed is, in Perl,

"http://$ENV{'SERVER_NAME'}:$ENV{'SERVER_PORT'}$ENV{'SCRIPT_NAME'}"

The complete URL the script was invoked with may also have PATH_INFO and QUERY_STRING at the end.

MIME Types

MIME types are standard, case-insensitive strings that identify a data type, used throughout the Internet for many purposes. They start with the general type of data (like text, image, or audio), followed by a slash, and end with the specific type of data (like html, gif, or jpeg). HTML files are identified with text/html, and GIFs and JPEGs are identified with image/gif and image/jpeg. Here's a pretty good list of commonly-used MIME types.

CGI-scanners

whisker.txt

R a i n F o r e s t P u p p y

Whisker
Whisker is a CGI scanner with impressive features that makes it much better than most CGI scanners.

Download:
http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2

Common Gateway Interface (CGI) Specifications

CGI-Resources Page
CGI Tutorials and scripts

Perl Tutotial Start
CGI Scripts from NCSA
ENMPC: Tutorial on CGI
Perl and CGI Tutorial
CGI Tutorial - Frames version
Matt's Perl Tutorial
Danny Aldham's Perl CGI Tutorial Page version 1.07
Perl and CGI Tutorial
CGI Tutorial && Link
CGI Tutorial: Start
CGI Manual
CGI & Perl links on the WWW
Perl-Related Links
CGI Tutorial: A simple CGI script
CGI Tutorial: What CGI scripts are

Debugging and Troubleshooting

The Idiot's Guide to Solving Perl CGI Problems

Debugging CGI Programs contains a useful script to help debug your CGI programs. Requires Apache Server v1.2.

Administration

Seite zum Thema Linux   --  SendingMirror.pl, a small script to keep your remote web server or ftp server up to date by pushing the changed data from your local host, maybe behind a firewall or a dialup line.

Etc

Last modified: June 05, 2008