Webmasters Heaven, Free submission, Free Promotion, Free Tools
Backword Forward Home add this page to favoirates send this page to a friend print this page icons articles Webmaster Tools Web Site Submit
sitemap
Free Icons Free Articels Free Tools Website submission

Articles Category  ]

Google
 
Advertising
Affiliates
Blogs
CGI
CSS
DHTML
Domain Names
ECommerce
 Email
HTML
Internet
Javascript
Link Popularity
Marketing
MLM
Newsletters
 Promotion
RSS
Search Engines
Site Security
Traffic Analysis
Web Hosting
Web Design
Webmasters

articles -> cgi
Article Title Author
5 CGI Scripts You Must Use to Turn Your Site Into a Powerhouse Marc Goldman
Clever Profit Growth Software Jim Daniels
Why Aren't You Using CGI Michael Southon
Use CGI to Automate Your Web Site Shelley Lowery
CGI: What the Heck Is That? Richard Lowe
CGI Security Issues Richard Lowe
How to Stop Digital Thieves with CGI Steve Humphrey
Quick Intro to PHP Development Alan Grissett
Better Writing: What Works and What Doesn't Susan Dunn
Password Protection and File Inclusion With PHP Robert Plank
Autoresponders With PHP Robert Plank
Track your visitors, using PHP Dennis Pallett
PHP On-The-Fly! Dennis Pallett
PHP and Cookies; a good mix! Dennis Pallett
Screen scraping your way into RSS Dennis Pallett
Mastering Regular Expressions in PHP Dennis Pallett
ASP, CGI and PHP Scripts and Record-Locking: What Every Webmaster Needs To Know Sunil Tanna
Open Source Scripts Sanjib Ahmad
An Extensive Examination of the PHP:DataGrid Component: Part 1 Dennis Pallett
PHP:Form Series, Part 1: Validators & Client-side Validation Dennis Pallett
Design an Online Chat Room with PHP and MySQL Rory Canyon
AS400 Web Development Vince Lewis
Concept of computer generated images and their application REBUSTeam
Use CGI For Quality Websites Kevin Dark
Using Automated Scripts to Improve Web Site Productivity William McRea
Smarty templates and data shaping approaches Mauro Molino
BNP Paribas launches private banking services in the Mainland Andrew Siegfried
The trend of CGI in Animation Richard
Understanding and reviewing CG Animations Richard

CGI Security Issues   by Richard Lowe


When you are creating or using CGI routines, you must be careful to keep good coding techniques, security and just plain common sense in mind. Sometimes you can do things that cause serious unexpected site effects. In fact, sometimes you may think you are making your CGI routine secure only to find out it just doesn't work like you expected.

A good example of a this phenomenon is a simple CGI routine called FormMail. This was written a number of years ago by a fellow named Matt Wright to allow data to be entered in a form, then emailed to a recipient.

I first looked at FormMail because I wanted to cut down on spam. You see, my web site had my email address embedded on every single page. I thought this was a good idea to allow people to send me an email message when they wanted to contact me. In fact, all of the web design books indicate that all good web sites include an email link of this kind.

I soon discovered, much to my horror, that spammers use special programs called Spam Harvesters to scan websites for email addresses. They add these addresses to their mailing lists and resell them over and over. The result is a large increase in the amount of spam that I received.

After much research, I came to the conclusion that the best defense against spam robots was to simply stop including my email address on my web sites. This left the question of how to allow users to contact me when they had questions or comments.

The answer is simple - use a form. The advantage is that the email address is hidden within the CGI routine or a text file and it is simply not possible for a spam harvester to pick it up. As long as the email address is coded into the CGI routine or in a database you are relatively secure.

However, many people use FormMail in a different way. Let's say you want to allow your visitors to "tell a friend" about your site. So you include a form which allows visitors to enter their message and a target email address. If you are not very careful you could find that you have set yourself up as a spam relay.

You see, spammers are always looking for ways to hide their identity. One common method is to search the internet for occurrences of FormMail. Sometimes I wonder if spammers rub their hands together in glee when they find sites which use FormMail with user-entered email addresses.

The spammer essentially "hijacks" the FormMail CGI routine and causes it to send out emails as fast and furiously as they can. I know of one instance where a spammer sent over one million emails in a single day before someone noticed that their web server was going very slowly (I wonder how long it would have taken had the spammer tried limiting the load on the server so it didn't show up as much). What happens here is very simple. The FormMail CGI routine is simply called remotely by the spammer, once for each spam email that he wants to send.

Ah, you say, but you could code the FormMail routine to check the referrer field. This would surely prevent a spammer from using it remotely, as his referrer would not be the website URL.

Sorry, no. The referrer field is actually a text string passed to the CGI routine by the browser. The spammer is most likely using a program which appears, to your web site, to be just another browser. Since the spammer controls the program he can code it to send the CGI routine whatever value he wants for the referrer field.

As it turns out, it is very difficult to make a CGI routine such as FormMail even relatively secure, and it may be impossible to make it bullet-proof. All you can do is check enough things and put in delays here and there to slow down and discourage spammers.

You could, for example, only allow one posting per IP address per hour. You could also check referrer just to block out the more ignorant spammers. I suppose you could count the number of times the routine is called, and have it just stop working after a certain amount. For example, only allow one hundred calls per day from anywhere.

The point here is not to tear apart the FormMail routine. The goal is to show how difficult it can be to make anything secure on the internet, and demonstrate that some assumptions (that the referrer field is a valid check) may not be true in all cases.

What do you do? Before you implement any CGI or similar interface, be sure and do a little research to be sure you completely understand and handle the ramifications. If you don't do this, you may find yourself the victim of a hacker or spammer.


About the Author

Richard Lowe Jr. is the webmaster of Internet Tips And Secrets at http://www.internet-tips.net - Visit our website any time to read over 1,000 complete FREE articles about how to improve your internet profits, enjoyment and knowledge.

[Advertisement ]