Perl | Security Issues in CGI
Before diving into the security issues with CGI and Perl, let’s know what Perl is. Perl stands for Practical Extraction and Reporting Language. It was built in 1987 by Larry Wall. Its a smart Object oriented language since it takes some useful features from C and BASIC as well. This programming language used to be the master of web programming as it functioned differently from other languages. CGI ( Common Gateway Interface) is used by web programming languages for allocating web pages dynamically.
Effects on Client Side
As soon as we make a website, we are tempted to publish it online and show the world our achievement, young minds want to put it in their resume and want to show companies what they are capable of. BUT the Internet although giving us exposure, exposes us to the online world of hackers and notorious users too.
When we talk about CGI, we cannot not talk about other languages like C, C++, BASIC, etc. C is bad at string execution, many C users define a large string for the input but that turns out to be dangerous because of the empty spaces(overflowing) can lead to unauthorized access.
Perl is executed and compiled in a single step, which opens it to the possibility of input of hazardous data entered from entrusted users. Better use scripts in C and BASIC over CGI to be safer. Interaction with users is the best and worst feature of CGI. some users bend the rules of the script while others can be unwanted users who are using your web page only for the sole purpose of hacking it.
We should be alert about who uses our page and keep a track of every user who used it.
Some forms of ATTACK
There is a huge possibility that while you are using CGI, other users are using something else and working on it. This leads us to internal attacks, the other user can also put a nose and show unwanted and uncalled attention to your script which can result in the exploitation of security.
Setuid is a feature of CGI which enables the user who owns the script give the permission to run the program rather than the user who built the program. This can cause a problem, this makes the whole process tedious because it asks the owner to give permission and also maybe the owner has no idea that his developer is making some changes.
Someone can also fool us by running an external program that he wrote instead of the one that you specified in CGI. Again, user input causes the majority of security problems.
Guidelines for safe CGI Scripting
Now that we have talked about the security holes in CGI, we should also know the good practices which help us in making a secure CGI script and maintain the security in spite of the many users who will use the site.
First basic things first, making your whole computer/system safe will make your website almost safe so make sure the computer that you’re working on is safe and has a good antivirus installed.
While creating a file you should make note of what permissions you are giving to it. Users who have access to the local directory can take undue advantage of unwanted permissions.
Precompiled programs available on the internet are a big NO. They are found to be full of hidden viruses and also might have access to your files once they are run on your computer.
We should examine and understand all the code/programs taken from the internet as they can contain anything from a security breach to a Trojan horse. These faulty programs often take advantage of amateurs and beginners in CGI script.
Therefore, the basics of security problems in CGI is user inputs, as mentioned above. These users can be from the Internet or from your own internal network. Therefore one should always be concerned about how and when to give permissions and to whom the permission is being given to.