ArticlesReader.com Menu
Newest Articles
Most Viewed Articles
ArticlesReader.com RSS
Submit Article
Login
Signup
Search the articles

Articles Main Categories
Advice
Animals
Automobiles
Business
Career
Communications
Computer Programming
Computers
Entertainment
Environment
Family
Fashion
Finance
Food
Health & Medical
Home & Garden
Humor
Internet Business
Internet Marketing
Legal
Leisure & Recreation
Marketing
Other
Politics
Reference & Education
Religion
Self Improvement
Sports
Technology & Science
Travel
Writing
Subscribe
Receive alert message from us when new articles submitted to our site for free.

Enter your name

Enter your email

Syndicate

















Related Products
Home::CGI

CGI Security Issues

Author : Richard Lowe

When you are creating or using CGI routines, you must be careful
to keep good coding techniques, security and just plain common
sense in mind. Sometimes you can do things that cause serious
unexpected site effects. In fact, sometimes you may think you
are making your CGI routine secure only to find out it just
doesn't work like you expected.

A good example of a this phenomenon is a simple CGI routine
called FormMail. This was written a number of years ago by a
fellow named Matt Wright to allow data to be entered in a form,
then emailed to a recipient.

I first looked at FormMail because I wanted to cut down on spam.
You see, my web site had my email address embedded on every
single page. I thought this was a good idea to allow people to
send me an email message when they wanted to contact me. In
fact, all of the web design books indicate that all good web
sites include an email link of this kind.

I soon discovered, much to my horror, that spammers use special
programs called Spam Harvesters to scan websites for email
addresses. They add these addresses to their mailing lists and
resell them over and over. The result is a large increase in the
amount of spam that I received.

After much research, I came to the conclusion that the best
defense against spam robots was to simply stop including my
email address on my web sites. This left the question of how to
allow users to contact me when they had questions or comments.

The answer is simple - use a form. The advantage is that the
email address is hidden within the CGI routine or a text file
and it is simply not possible for a spam harvester to pick it
up. As long as the email address is coded into the CGI routine
or in a database you are relatively secure.

However, many people use FormMail in a different way. Let's say
you want to allow your visitors to "tell a friend" about your
site. So you include a form which allows visitors to enter their
message and a target email address. If you are not very careful
you could find that you have set yourself up as a spam relay.

You see, spammers are always looking for ways to hide their
identity. One common method is to search the internet for
occurrences of FormMail. Sometimes I wonder if spammers rub
their hands together in glee when they find sites which use
FormMail with user-entered email addresses.

The spammer essentially "hijacks" the FormMail CGI routine and
causes it to send out emails as fast and furiously as they can.
I know of one instance where a spammer sent over one million
emails in a single day before someone noticed that their web
server was going very slowly (I wonder how long it would have
taken had the spammer tried limiting the load on the server so
it didn't show up as much). What happens here is very simple.
The FormMail CGI routine is simply called remotely by the
spammer, once for each spam email that he wants to send.

Ah, you say, but you could code the FormMail routine to check
the referrer field. This would surely prevent a spammer from
using it remotely, as his referrer would not be the website URL.

Sorry, no. The referrer field is actually a text string passed
to the CGI routine by the browser. The spammer is most likely
using a program which appears, to your web site, to be just
another browser. Since the spammer controls the program he can
code it to send the CGI routine whatever value he wants for the
referrer field.

As it turns out, it is very difficult to make a CGI routine such
as FormMail even relatively secure, and it may be impossible to
make it bullet-proof. All you can do is check enough things and
put in delays here and there to slow down and discourage
spammers.

You could, for example, only allow one posting per IP address
per hour. You could also check referrer just to block out the
more ignorant spammers. I suppose you could count the number of
times the routine is called, and have it just stop working after
a certain amount. For example, only allow one hundred calls per
day from anywhere.

The point here is not to tear apart the FormMail routine. The
goal is to show how difficult it can be to make anything secure
on the internet, and demonstrate that some assumptions (that the
referrer field is a valid check) may not be true in all cases.

What do you do? Before you implement any CGI or similar
interface, be sure and do a little research to be sure you
completely understand and handle the ramifications. If you don't
do this, you may find yourself the victim of a hacker or spammer.


Spam emails More free articles

Related articles


  1. 5 CGI Scripts You Must Use to Turn Your Site Into a Powerhouse
  2. Clever Profit Growth Software
  3. Why Aren't You Using CGI
  4. Use CGI to Automate Your Web Site
  5. CGI: What the Heck Is That?
  6. CGI Security Issues
  7. How to Stop Digital Thieves with CGI
  8. Quick Intro to PHP Development
  9. Better Writing: What Works and What Doesn't
  10. Password Protection and File Inclusion With PHP
  11. Autoresponders With PHP
  12. Track your visitors, using PHP
  13. PHP On-The-Fly!
  14. PHP and Cookies; a good mix!
  15. Screen scraping your way into RSS
  16. Mastering Regular Expressions in PHP
  17. ASP, CGI and PHP Scripts and Record-Locking: What Every Webmaster Needs To Know
  18. Open Source Scripts
  19. this is a test
  20. An Extensive Examination of the PHP:DataGrid Component: Part 1
  21. PHP:Form Series, Part 1: Validators & Client-side Validation
  22. Design an Online Chat Room with PHP and MySQL
More related feeds
VMware Security Advisory: ESX and ESXi Patches
patches for ESX and ESXi resolve multiple security issues Issue date: 2008-10-03 Updated on: 2008-10-03 (initial release of advisory) CVE numbers: CVE-2008-4279 CVE-2008-4278 CVE-2008-3103 CVE-2008-3104 CVE-2008-3105 CVE-2008-3106 ...

Deconstructing reconstruction : problems, challenges, and the way ...
Title: Deconstructing reconstruction : problems, challenges, and the way forward in Iraq and Afghanistan : hearing before the Committee on Homeland Security and Governmental Affairs, United States Senate, One Hundred Tenth Congress, ...

Firewall watchguard x1000, any good?
http://cgi.ebay.com/Watchguard-x1000-firewall-core-security-network_W0QQitemZ170267981989QQcmdZViewItem?hash=item170267981989&_trkparms=72%3A1210|39%3A1|66%3A2|65%3A12|240%3A1318&_trksid=p3286.c0.m14 Is it any good? Anyone uses it? ...

Stupid whm/apache bug
ScriptAlias /cgi-sys/ /usr/local/cpanel/cgi-sys/ ScriptAlias /mailman/ /usr/local/cpanel/3rdparty/mailman/cgi-bin/ ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi ScriptAliasMatch ^/?securecpanel/? ...

How to increasing CGI timeout in Windows!
I got a cgi error when I want upload something via my website, the platform is Windows + Plesk with cgi/php form!! I did something like this: http://www.iisadmin.co.uk/?p=7&page=2 but it's not worked!! so any one knows how can I ...

GAO Releases This Week
http://www.gao.gov/cgi-bin/getrpt?GAO-08-1099 Highlights - http://www.gao.gov/highlights/d081099high.pdf; Military Operations: DOD Needs to Address Contract Oversight and Quality Assurance Issues for Contracts Used to Support ...

How do I set up the CGI-BIN as webroot
CGI is a well supported technology and I'd like to mess around with it. I'd like to have all my files served from my CGI bin, however, I want it to work much the same as PHP does. I'd like to be able to access example.com and run index. ...

Confluence Security Advisory 2007-12-14
Upgrade to Confluence 2.7, or; Download and install the patch for Confluence 2.5.8 or Confluence 2.6.2 from our JIRA site – see issue CONF-10164. You can read more about XSS attacks at cgisecurity, CERT and other places on the web. ...

Confluence Security Advisory 2008-07-03
You can read more about XSS attacks at [cgisecurity|http://www.cgisecurity.com/articles/xss-faq.shtml], [CERT|http://www.cert.org/advisories/CA-2000-02.html] and other places on the web. h4. Risk Mitigation. If you judge it necessary, ...

GAO Releases this week
Nuclear Security: Los Alamos National Laboratory Faces Challenges In Sustaining Physical and Cyber Security Improvements, by Gregory C. Wilshusen, director, information security issues, before the Subcommittee on Oversight and ...

 

 

© 2007 articlesreader.com - All Rights Reserved