homepage Welcome to WebmasterWorld Guest from 54.224.179.98
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
Forum Library, Charter, Moderators: coopster & jatar k & phranque

Perl Server Side CGI Scripting Forum

    
Securing CGI scripts
sugarkane




msg:435160
 10:06 am on Feb 16, 2001 (gmt 0)

I'm trying to put together a checklist of ways of making CGI scripts as secure as they can be - more of a best practice guide rather than a language or command specific thing.

This is what I've come up with so far:

- Check that the referring URL is what it should be

- Validate that user input is sane eg an alpha numneric field shouldn't contain control characters

- Never blindly pass user input to an external program as an argument

- All writable files should be in a seperate directory so that permissions on your cgi-bin can be made secure

- Remove all backup files (eg foo.cgi~ ) from your script directory, as they will be served up as text giving a hacker plenty of food for thought.

I ran out of ideas at this point. Has anyone any more, or disagree with any of these?

 

han solo




msg:435161
 7:22 pm on Feb 20, 2001 (gmt 0)

What is the default extension when a back up is created? I've decided this might be good research...:) and would like to see if some people indeed forgot to delete the back up.

Care to share? I'm still learning perl, or else I might actually know this one.

Cheers,

Han Solo

Or you could sticky mail me, if you don't want to post..after all, it wouldn't be good to start the revolution from one casual post, yes?

Air




msg:435162
 12:01 am on Feb 21, 2001 (gmt 0)

It is fairly normal practice to strip out characters form input received from a form or elsewhere, the thinking being that potentially harmful characters are listed and removed. But it is far more secure to do the reverse, i.e. accept only characters expected from such input and discard the rest.

mivox




msg:435163
 12:13 am on Feb 21, 2001 (gmt 0)

For feedback form/order form type scripts, I had one client who specifically excluded replies from "free email" accounts, so you had to enter a valid ISP/paid webhost email address into the form. The thinking being, most people would not want to risk their internet access or webhosting by entering screwy things into the form or placing prank orders....

Not really something that would fall under stander precautions or practices, but a good option for some applications.

Vittal Aithal




msg:435164
 12:09 pm on Feb 21, 2001 (gmt 0)

Probably worthwhile reading:
[securityportal.com...]

vittal

sugarkane




msg:435165
 12:33 pm on Feb 21, 2001 (gmt 0)

Hi Vittal, welcome to WmW

Nice link - plenty to chew on :)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Perl Server Side CGI Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved