Perl | CGI Security
The CGI stands for the Common Gateway Interface which is a defined protocol for writing dynamic codes on the web. It is also used to execute the scripts online.
Perl was accepted as an executable language for HTML pages on the web. Perl is similar to any other CGI language in which, when a code is executed, it creates an interface with the base operating system which could give a pathway to external forces to intrude in our system.
Perl itself is not insecure, however, programmers try to download every other CGI script to create the above-mentioned pathway. All the CGI scripts may not be as secure as we want them to be. The programmer should be skeptical while downloading any CGI script online. There are several security norms attached with this action. Any CGI script downloaded from external sources might contain several bugs in the codes, or errors might be included intentionally by intruders in the script.
As soon as CGI script is online, it is made available to the entire world. There are two types of people online that could intrude into our systems through CGI and cause serious problems. One is “Hackers” that are well-known people to creatively manipulate the working of the system. The others are “Crackers” meaning those who vandalize the web page or enter the system for some online mischief.
What is Insecure CGI?
Many CGI scripts are known to have security holes within their codes. A lot of them had been found and fixed to remove any security breach parameter, but some are still available online. Many times, running an old version of the script causes major problems. One should find them and get rid of them entirely before it is too late.
There have been many examples of insecure CGI scripts, some are as follows:
In December 1998, it was found that Hotmail, the very popular online mail system, had a flaw in its CGI script that runs the same. This script allowed intruders into the mail accounts and allowed them to go through the mails of the account holders. This was a clear security breach that gave power to the unauthorized users to deal with the mails of the users of Hotmail.
This file should not be downloaded in the cgi-bin directory. Although this file provides a number of good features like database access, it is said to be a form of insecure CGI. It allows any person on an online platform to breach through your personal computer and go through the files there. They may come across a personal document that can cause major trouble.
Execution of External CGI Program
The major requirements to execute an external CGI file or a script in your machine are:
1) Your web servers should support CGI interface and
2) Should contain configuration to handle CGI programs.
The CGI Files are stored in a preconfigured CGI directory (/cgi-bin) and their execution is done by the HTML browsers. All the Perl CGI files have an extension “.cgi”, as accepted conventionally.
The web servers are aware that the code written should not be printed rather should be executed. When the CGI program is executed, the server automatically makes available STDIN, STDOUT and STDERR file handlers for the users.
Reading and Writing the External Programs
Perl acts as a caller of a certain program.
There are many ways through which these files can be called and executed:
1) exec() method: When Perl encounters this function, it looks at the argument and execute the corresponding command. Through this command, Perl does not transfer the control to the original or parent process.
2) system() method: The argument is regarded as the command for the child process. When this statement is encountered, the child process is separated from the parent process. The parent process waits until the child process completes its task and returns. The syntax for the system statement is:
system ("test", "/usr/stats/$username");
This code asks the user for a username when one accesses a page named “test“. After verifying the username, the program displays some files as contained under the bar of that username.
An example of difference between an insecure and a secure CGI script using the exec() method is as follows:
1) exec “echo $arg”; This is an insecure CGI code.
2) exec “echo”, $arg; This is a secure CGI code as it does not contain a shell.
Consequences of Insecure CGI
The CGI serves as a gateway between the web page code and the end-user. There is no doubt that this goes through the system of the host and one could gain access to this gateway very easily and cause troubles.
There are various ways in which unauthorized users could intrude through your system and misuse your important information. These can be avoided by giving special attention to the security norms of downloading the CGI scripts. Several methods by which these illegal and unprotected could harm our interfaces are discussed as follows:
1) The insecure CGI systems could leak important and confidential information about the host’s computer environment. This could lead to a total transparency of the system through an online platform.
2) The remote developers of the CGI code could instigate the users to execute some commands when a user is required to input something to execute several programs or methods.
As discussed earlier, a programmer should be well aware of what one is using and ensure one’s security. They should always be skeptical of every CGI script they are incorporating through an online platform.