FirstSearch script security

Steve Westman swestman at sherlock.sherlock.utsa.edu
Wed Aug 14 12:21:38 EDT 1996



On Wed, 14 Aug 1996, Madeleine Showalter wrote:

> I have been told that "hackers" can enter commands in a form/search engine which can be 
> transferred to your operating system.  This can allow them to get to a command line 
> prompt in your system.  So, I assume that "secure" means to prevent this by changing 
> your CGI script.  That's all I know, I'm just a beginner in using CGI.
> 

The answer is simple: Yes and No.  If you are not careful in writing your 
CGI scripting, you can leave yourself open to attacks, particularly if 
you a) are using a UNIX platform for your server, and b) if you use 
sendmail or other SUID types of programs that take user input.

That's the bad news. The "good" (if not "fail proof") news is that you 
can avoid most security problems if you are aware of some of the problems 
and you learn to avoid certain practices in your CGI scripting.  There 
are a number of books and sites out there on the Web, although good starting 
places include:

http://www.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/Security

In particular, check out the "CGI" and "FAQ-World Wide Web Security" links.

If you are using perl for CGI programming on a UNIX platform, you might
also want to check out O'Reilly's "Managing Internet Information Services"
(ISBN 1-56592-062-7).  It has good examples of secure script writing
(including a way to keep users from using those nasty characters when
filling out a form that uses the sendmail program to forward the
responses). 

Hope this helps.


************************************************************************
* Stephen Westman                     (210) 691-5977 (phone)           *
* Electronic Services Librarian       (210) 691-4571 (FAX)             *
* University of Texas at San Antonio  swestman at coyote.utsa.edu         * 
* Library                                                              * 
* 6900 North Loop 1604 West                                            * 
* San Antonio, Texas 78249                                             *
************************************************************************



More information about the Web4lib mailing list