Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

CGI Security

News Recommended Books Recommended Links Tutorials Reference CGI-scanners Selena Sol CGI scripts
CGI Security SSI Administration Debugging History Humor Etc.

CGI is a very flexible and powerful protocol, and it scales much more that most WEB developers assume.  CGI may be not that fancy technology, but it's simple and you can do almost anything it it.

The most common tool for writing CGI scripts is Perl, therefore most CGI scripts you can find on the WEB are written in this language.

Essentially, all web applications do pretty much the same things:

  1. Provide a Query Interface - Web Applications provide users with an interface for entering data. The data they enter is usually called a "query" or a "request" because the user-defined data is used to dynamically query or make a request from some service on the web server machine (searching a database, ordering a book, requesting a file).
  2. Transmit User-Defined Query - Once collected, the user-data is sent to a web server
  3. Perform Server Side Processing - The web server processes the user-data using some sort of "middleware".
  4. Massage Data - Processing almost always involves playing with data on the server. The user-defined request specifies how the data should be played with.
  5. Transmit Query Results - The processed data is now returned to the client.
  6. Perform Client Side Processing - Finally, the returned data is displayed to the user. Display might be as simple as interpreting HTML, or as complex as performing calculations, sorting, or other manipulations of the data.

Top Visited
Past week
Past month



Recommended Links

Google matched content

Softpanorama Recommended

Top articles


The problem with /usr/ucb/mail shell escapes is going stay with us for quite a while: I have found that many web sites run CGI helper scripts that send data from the network into /usr/ucb/mail, without censoring of, for example, newline characters embedded in the data.


CGI scripts have access to 20 or so environment variables, such as QUERY_STRING and CONTENT_LENGTH mentioned on the main page. Here's the complete list at NCSA.

The HTTP method this script was called with. Generally "GET", "POST", or "HEAD".
The URL of the form that was submitted. This isn't always set, so don't rely on it. Don't go invading people's privacy with it, neither.
Extra "path" information. It's possible to pass extra info to your script in the URL, after the filename of the CGI script. For example, calling the URL

will set PATH_INFO to "/path/info/here". Commonly used for path-like data, but you can use it for anything.

Your Web server's hostname or IP address (at least for this request).
Your Web server's port (at least for this request).
The path part of the URL that points to the script being executed. It should include the leading slash, but certain older Web servers leave the slash out. You can guarantee the leading slash with this line of Perl:
$ENV{'SCRIPT_NAME'}=~ s#^/?#/# ;

So the URL of the script that's being executed is, in Perl,


The complete URL the script was invoked with may also have PATH_INFO and QUERY_STRING at the end.

MIME Types

MIME types are standard, case-insensitive strings that identify a data type, used throughout the Internet for many purposes. They start with the general type of data (like text, image, or audio), followed by a slash, and end with the specific type of data (like html, gif, or jpeg). HTML files are identified with text/html, and GIFs and JPEGs are identified with image/gif and image/jpeg. Here's a pretty good list of commonly-used MIME types.



R a i n F o r e s t P u p p y

Whisker is a CGI scanner with impressive features that makes it much better than most CGI scanners.


Xenu's Link Sleuth. Software to find broken links on a web site. Tilman Hausherr.

Common Gateway Interface (CGI) Specifications

CGI-Resources Page
CGI Tutorials and scripts

Perl Tutotial Start
CGI Scripts from NCSA
ENMPC: Tutorial on CGI
Perl and CGI Tutorial
CGI Tutorial - Frames version
Matt's Perl Tutorial
Danny Aldham's Perl CGI Tutorial Page version 1.07
Perl and CGI Tutorial
CGI Tutorial && Link
CGI Tutorial: Start
CGI Manual
CGI & Perl links on the WWW
Perl-Related Links
CGI Tutorial: A simple CGI script
CGI Tutorial: What CGI scripts are

Debugging and Troubleshooting

The Idiot's Guide to Solving Perl CGI Problems

Debugging CGI Programs contains a useful script to help debug your CGI programs. Requires Apache Server v1.2.


Seite zum Thema Linux --, a small script to keep your remote web server or ftp server up to date by pushing the changed data from your local host, maybe behind a firewall or a dialup line.



The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright 1996-2018 by Dr. Nikolai Bezroukov. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case is down you can use the at


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019