WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web
           9  2.3.4.2  ActiveX

Previous Topic/Section
2.3.4.5  Signed Applets
Previous Page
Pages in Current Topic/Section
1
Next Page
 2.3.4.7  SMTP Relay
Next Topic/Section

2.3.4.6  CGI

CGI stands for “Common Gateway Interface”, and it amounts to a way of executing an external program or “script” by sending to the web server a URL request containing the name of the program to execute, and optionally some data for it. The server then runs the program or script, and sends the output (if any) back to the client, providing dynamic content, in contrast to the “static”, fixed page images displayed when “.html” pages are retrieved. For example, there are CGI programs to display web counters, maintain web site guest books, add entries to web “blogs”, display the time using pictures of the relevant numbers, etc.

An example of a URL that invokes a CGI script with no data passed to it, would be http://www.internic.net/cgi-bin/whois . As you can see, it is similar to a traditional “static” URL referencing an HTML page, except that the final path element doesn’t include a “.htm” or “.html” suffix. When you need to send data to the script, the URL gets a bit more complex. An example of a URL that invokes a CGI script, passing data for the script, would be http://www.internic.net/cgi-bin/whois?whois_nic= helenworld.com&type=domain. As you can see, it’s composed of the name of the CGI script, followed by a “?” that tells the web server when the data starts, then pairs of the form “dataitem=value”, separated by “&”.

The primary security issue with CGI scripts is that it’s very difficult to get them right.

Most system administrators of large UNIX sites can tell at least one horror story about some way a user found to make a UNIX shell script running with root permissions, do something other than what it was originally intended, like perhaps copy any file on the system, regardless of file access permissions set on it. CGI scripts219 are vulnerable to the same sorts of misdirection issues that affect UNIX shellscripts, and should be written carefully.

For further information on how to write more secure CGI scripts, see the WWW Security FAQ220.


 __________________

219. http://www.phrack.com/show.php?p=49&a=8

220. http://www.w3.org/Security/Faq/www-security-faq.html

Previous Topic/Section
2.3.4.5  Signed Applets
Previous Page
Pages in Current Topic/Section
1
Next Page
 2.3.4.7  SMTP Relay
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.