CGI Security Issues

Written by Richard Lowe

Continued from page 1

The spammer essentially "hijacks"repparttar FormMail CGI routine and causes it to send out emails as fast and furiously as they can. I know of one instance where a spammer sent over one million emails in a single day before someone noticed that their web server was going very slowly (I wonder how long it would have taken hadrepparttar 107133 spammer tried limitingrepparttar 107134 load onrepparttar 107135 server so it didn't show up as much). What happens here is very simple. The FormMail CGI routine is simply called remotely byrepparttar 107136 spammer, once for each spam email that he wants to send.

Ah, you say, but you could coderepparttar 107137 FormMail routine to checkrepparttar 107138 referrer field. This would surely prevent a spammer from using it remotely, as his referrer would not berepparttar 107139 website URL.

Sorry, no. The referrer field is actually a text string passed torepparttar 107140 CGI routine byrepparttar 107141 browser. The spammer is most likely using a program which appears, to your web site, to be just another browser. Sincerepparttar 107142 spammer controlsrepparttar 107143 program he can code it to sendrepparttar 107144 CGI routine whatever value he wants forrepparttar 107145 referrer field.

As it turns out, it is very difficult to make a CGI routine such as FormMail even relatively secure, and it may be impossible to make it bullet-proof. All you can do is check enough things and put in delays here and there to slow down and discourage spammers.

You could, for example, only allow one posting per IP address per hour. You could also check referrer just to block outrepparttar 107146 more ignorant spammers. I suppose you could countrepparttar 107147 number of timesrepparttar 107148 routine is called, and have it just stop working after a certain amount. For example, only allow one hundred calls per day from anywhere.

The point here is not to tear apartrepparttar 107149 FormMail routine. The goal is to show how difficult it can be to make anything secure onrepparttar 107150 internet, and demonstrate that some assumptions (thatrepparttar 107151 referrer field is a valid check) may not be true in all cases.

What do you do? Before you implement any CGI or similar interface, be sure and do a little research to be sure you completely understand and handlerepparttar 107152 ramifications. If you don't do this, you may find yourselfrepparttar 107153 victim of a hacker or spammer.

Richard Lowe Jr. is the webmaster of Internet Tips And Secrets at - Visit our website any time to read over 1,000 complete FREE articles about how to improve your internet profits, enjoyment and knowledge.

CGI: What the Heck Is That?

Written by Richard Lowe

Continued from page 1

3) Each ofrepparttar input tags includes a variable name. The data which is retrieved fromrepparttar 107132 visitor (or directly set ifrepparttar 107133 tag includesrepparttar 107134 "hidden" qualifier) is placed inrepparttar 107135 variable name.

4) Whenrepparttar 107136 visitor pressesrepparttar 107137 "submit" button,repparttar 107138 CGI routine which was specified inrepparttar 107139 form tag is executed. At this time,repparttar 107140 CGI routine "takes control", meaningrepparttar 107141 browser essentially is waiting for it to complete.

5) This CGI routine can get data from variable names. It retrievesrepparttar 107142 data and does whatever action is required.

6) Whenrepparttar 107143 CGI routine finishes, it returns control back torepparttar 107144 web client (the browser).

Some important things to remember about CGI routines:

- You can install CGI routines on your own site if your host allows it - Addr.Com is an example of a web host which allows for CGI routines. Some web hosts do not allow you to install your own routines but do provide some pre-written ones to you. If these are not sufficient for your needs, you can find a remote hosting service to providerepparttar 107145 necessary functions.

- Generally, if you install your own routines they must be installed inrepparttar 107146 cgi-bin directory of your site. This is a special location which allows scripts and programs to be executed.

- CGI routines work best on Apache-style servers. Windows NT and Windows 2000 does support CGI, but it tends to be slow and problematic.

- If you use a remote hosting service, you must remember that although they appear to be giving you this for free, you are actually paying a price. Usually they want to display advertisements, although some of them actually take visitors away from your site.

- When you write a CGI routine, you haverepparttar 107147 choice of a scripting language like PERL or a compiled language such as C++ or Visual Basic. Anything which can execute onrepparttar 107148 web server is acceptable.

I hope this short introduction to CGI has cleared up some ofrepparttar 107149 mystery.

Richard Lowe Jr. is the webmaster of Internet Tips And Secrets. This website includes over 1,000 free articles to improve your internet profits, enjoyment and knowledge. Web Site Address: Weekly newsletter: Daily Tips:

    <Back to Page 1 © 2005
Terms of Use