homepage Welcome to WebmasterWorld Guest from 50.17.86.12
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
Forum Library, Charter, Moderators: coopster & jatar k & phranque

Perl Server Side CGI Scripting Forum

    
Securing CGI scripts
sugarkane

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 237 posted 10:06 am on Feb 16, 2001 (gmt 0)

I'm trying to put together a checklist of ways of making CGI scripts as secure as they can be - more of a best practice guide rather than a language or command specific thing.

This is what I've come up with so far:

- Check that the referring URL is what it should be

- Validate that user input is sane eg an alpha numneric field shouldn't contain control characters

- Never blindly pass user input to an external program as an argument

- All writable files should be in a seperate directory so that permissions on your cgi-bin can be made secure

- Remove all backup files (eg foo.cgi~ ) from your script directory, as they will be served up as text giving a hacker plenty of food for thought.

I ran out of ideas at this point. Has anyone any more, or disagree with any of these?

 

han solo

10+ Year Member



 
Msg#: 237 posted 7:22 pm on Feb 20, 2001 (gmt 0)

What is the default extension when a back up is created? I've decided this might be good research...:) and would like to see if some people indeed forgot to delete the back up.

Care to share? I'm still learning perl, or else I might actually know this one.

Cheers,

Han Solo

Or you could sticky mail me, if you don't want to post..after all, it wouldn't be good to start the revolution from one casual post, yes?

Air

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 237 posted 12:01 am on Feb 21, 2001 (gmt 0)

It is fairly normal practice to strip out characters form input received from a form or elsewhere, the thinking being that potentially harmful characters are listed and removed. But it is far more secure to do the reverse, i.e. accept only characters expected from such input and discard the rest.

mivox

WebmasterWorld Senior Member mivox us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 237 posted 12:13 am on Feb 21, 2001 (gmt 0)

For feedback form/order form type scripts, I had one client who specifically excluded replies from "free email" accounts, so you had to enter a valid ISP/paid webhost email address into the form. The thinking being, most people would not want to risk their internet access or webhosting by entering screwy things into the form or placing prank orders....

Not really something that would fall under stander precautions or practices, but a good option for some applications.

Vittal Aithal

10+ Year Member



 
Msg#: 237 posted 12:09 pm on Feb 21, 2001 (gmt 0)

Probably worthwhile reading:
[securityportal.com...]

vittal

sugarkane

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 237 posted 12:33 pm on Feb 21, 2001 (gmt 0)

Hi Vittal, welcome to WmW

Nice link - plenty to chew on :)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved