Avoid security vulnerabilities in your CGI programs

CGI makes creating Web-executable programs quick and easy--both for you and for hackers. Learn about some of the explicit security vulnerabilities of CGI and how to avoid them.

The World Wide Web Consortium fathered CGI, a protocol that enables the dynamic creation of Web-accessible content. It builds a communications pathway between external programs and a Web server. The CGI specification tells the Web server how to execute external programs to fulfill browser requests. The formatting of data traveling in both directions is also defined by this specification. CGI is not an application programmer interface, which means that you can implement it with most of the popular languages (C++, Java, Perl, PHP, etc.). Unfortunately, hackers can exploit CGI applications in various ways.

CGI form and content
A typical CGI application is involves the interaction between a Web application and a user via a form. Forms are usually done in HTML. Upon form submission, the browser pulls the form data, formats it, and sends it to a predefined URL (specified in the form post attribute). The CGI program validates the data and signals any errors (forwarded back to the browser). In this manner, a CGI program may act as a database front-end for user interaction.

Abusing privileges
Because CGI is easy to use as a front-end, it has a lot of flexibility and power that can go awry. Here are some examples of how these characteristics can be exploited with a poorly written CGI script:
  • Seizing permissions. Normally, a CGI application has the privileges of the user represented by the running Web server—and that user probably has root privileges. You may wonder why the CGI script has the same privileges. The reason is to avoid the bottleneck of a CGI script (which is accessing the database) being unable to execute the same file operations that the Web server can execute. Hackers know that seizing control of a CGI script often results in access to root privileges.
  • Memory problems. Since CGI scripts are often so incidental, and even trivial, little effort goes into correct allocation of memory segments. If a hacker can seize control of a CGI script, the hacker has access to server memory resources that may be arbitrarily used for the execution of malicious code.
  • Unverified input. It is up to the programmer to determine how rigorously input must be screened. Remember that a CGI script is often used to escort input directly from a user into the inner sanctum of a Web server. If the input validation and verification of the CGI script is missing or badly written, a hacker can manipulate the script to grab memory for the execution of an unauthorized program.

Use CGI with care
Unlike many hacker-exploitable weaknesses in Web technology, CGI programs have fixes available. You can create a wrapper for CGI programs, a container that preserves all CGI strengths and removes the weaknesses. Here's what a CGI wrapper can do for you:
  • Control of access to system resources. A CGI wrapper can limit the memory available to the script and prevent any unauthorized code from accessing the server file system or CPU. Hackers are stopped in their tracks.
  • Isolation of users. To overcome the permission-sharing between the CGI script and the Web server user identity, the wrapper may ensure that process ownership doesn't change; root privileges won't be improperly assigned.

CGI wrappers are inserted between the CGI script and the server administration software. They change the user and group identity so that the script runs independently of the server administrator's identity. Since each CGI script running on the server is independently defined, all user CGI scripts are isolated.

Which CGI wrappers are available to you depends largely upon the server software used. There are several types of wrapper, each with powerful features. Examine these carefully to see which is right for your environment:
  • CGI module wrappers. These wrappers regulate interaction with the server's execution environment, so the CGI script's exchange is more versatile. This gives the script greater potential functionality. You can also handle session tracking with module-based wrappers.
  • Nested CGI programs. It's possible to create a CGI wrapper from a CGI program. The server executes the wrapper, and the wrapper executes the script. The wrapper's function can be to control system resources, with the restrictions applied to the embedded CGI script. So if hackers do seize control of the CGI script, they have nowhere to go.
  • Library CGI wrappers. You can use CGI libraries to control CGI I/O. The advantage is that CGI I/O can be handed off to routines that are rigorously, rather than casually, developed, with proven robustness. In addition, handing this huge portion of a CGI program off to predefined, secure components gives the CGI programmer more time to focus on diligent development of the remainder of the program, such as prudent resource allocation.

About Scott Robinson

Scott Robinson is a 20-year IT veteran with extensive experience in business intelligence and systems integration. An enterprise architect with a background in social psychology, he frequently consults and lectures on analytics, business intelligence...

Editor's Picks

Free Newsletters, In your Inbox