for configuration files, another for logs, one for HTML documents, and yet another for CGI scripts. Generally, the directory used to store CGI scripts and programs is called CGI-BIN.
When you look at Figure 4.5, you will notice that the HTML direc- tory (which is used to store Web pages and other content for the Web site) is in a separate directory from the CGI-BIN directory (used to store CGI scripts and programs). By keeping the CGI scripts and programs in a separate directory from other content for the site, users are generally unable to view the contents of the CGI-BIN directory with a Web browser.You may be aware that when you access a Web site by entering a URL like www.syngress.com, a default Web page (such as default.htm or index.htm) is displayed to the user.This Web page, and any other HTML documents accessed on the site, is stored under the directory that’s speci- fied to store HTML documents. In the case of Figure 4.5, this directory is called HTML.While users may be able to access subdirectories under the HTML directory, they are restricted by permissions from navigating above this directory.To do so would allow users to access the files used to run the Web server. Because the CGI-BIN is separated from the direc- tory used to store HTML documents, this aids in preventing users from navigating your directory structure into the CGI-BIN and reading any scripts within it.
Figure 4.5Example of a Web Server’s Directory Structure
Web Server Installation Directory CGI-BIN HTML CONF LOGS
The directory that’s used to store HTML documents is commonly referred to as the document root. A number of Web servers will allow you to put CGI scripts and programs in this directory, along with the Web pages, graphics, and other elements used for your Web site.This presents a security risk, as files stored in the document root will require read permissions for all users, so that they can read the Web pages and view them on an Internet browser. If CGI scripts are placed in a direc- tory with these rights, then a hacker could read your CGI scripts and find possible ways to attack your site.This may include finding informa- tion about the server’s directory structure, usernames, passwords, com- ments, or other items that could be exploited.
Placing scripts and programs in the CGI-BIN is also advantageous because it is easier to only have to worry about setting permissions on one global CGI directory. If permissions are set properly, users will be able to execute these programs, but won’t have the ability to read or write to the directory. Improper permissions are how many hackers use the CGI-BIN to attack a site. If users can read files in a directory, they can view information contained within it. If the write permission has been set for all users, or user accounts that shouldn’t have this ability, then users could rewrite a script, or upload a program to the directory that has the same name as the original.When the program or script is later executed, then unwanted activities (such as restarting your server or worse) could result.
Of particular importance to placing scripts and programs in a CGI- BIN directory is organization. It is easier to find and maintain these pro- grams if they are located in the same directory; it is wise to place them in the CGI-BIN. Imagine trying to find a single script on a site that has them scattered across several places. In addition to the time you’ll spend trying to find a particular script, there is a greater chance that one will reside in a directory with improper permissions, causing a potential security threat.
Because CGI-BIN is the common name for a directory used in storing CGI scripts and programs, it makes sense that hackers would first look to see if this directory exists, and then try to exploit improper per- missions and bad coding. For this reason, a number of Web servers offer
you the ability to specify a different name for these directories. For example, you could specify that CGI scripts and programs are contained in a directory named CGI, PROGS, or any other name you choose. If a hacker who exploits CGI vulnerabilities goes to your site, he or she will find that a CGI-BIN directory isn’t there.The hacker may feel it’s easier to move on to another site that does have a CGI-BIN, and leave you alone. Moreover, as mentioned earlier, most hacking tools that look for CGI vulnerabilities will only look in the CGI-BIN. Since this directory doesn’t exist, these tools will either show that no vulnerabilities are found, or will show that no CGI scripts exist.
Summary
CGI programs can be a great benefit or a great burden, depending on whether you’ve protected yourself against possible vulnerabilities that can be used to hack your site.We saw in this chapter that CGI programs and scripts run on the server side, and act as a middleman between the Web server and an external application.They are used on numerous sites on the Web, and for a variety of purposes. In terms of e-commerce sites, they are essential to the method in which business is conducted, and many sites cannot function without them.
Break-ins resulting from weak CGI scripts can occur in a variety of ways.This may be through gaining access to the source code of the script and finding vulnerabilities contained in them, or by viewing infor- mation showing directory structure, usernames, and/or passwords. By manipulating these scripts, a hacker can modify or view sensitive data, or even shut down a server so that users are unable to use the site.
In most cases, the cause of a poor CGI script can be traced back to the person who wrote the program. However, by following good coding practices and avoiding common problems, you can avoid such problems, and you will be able to use CGI programs without compromising the security of your site.
Solutions Fast Track
What Is a CGI Script, and What Does It Do?
; CGI is used by Web servers to connect to external applications. It provides a way for data to be passed back and forth between the visitor to a site and a program residing on the Web server. CGI isn’t the program itself, but the medium used to exchange information between the Web server and the Internet applica- tion or script.
; CGI uses server-side scripting and programs. Code is executed on the server, so it doesn’t matter what type of browser the user is using when visiting your site.
; Uses for CGI are found at sites such as eBay and e-commerce sites that may use more complex CGI scripts and programs for making transactions; guest books, chatrooms, and comment or feedback forms are another common use for CGI programs. ; CGI should be used when you want to provide a dynamic,
interactive Web page, and need to take advantage of the Web server’s functions and abilities.They are an excellent means to searching and storing information in a database, processing forms, or using information that is available on the server and cannot be accessed through other methods. However, you should consider using CGI programs when interaction with the user will be limited.
; Many ISPs don’t provide CGI support, as poorly written scripts and programs are a security risk, and may jeopardize the secu- rity of that site and others hosted on their Web server.
Break-Ins Resulting from Weak CGI Scripts
; One of the most common methods of hacking a Web site is to find and use poorly written CGI scripts. Using a CGI script, you may be able to acquire information about a site, access directo- ries and files you wouldn’t normally be able to see or download, and perform various other unwanted and unexpected actions. ; It is important that you ensure that the form used to collect
data from users is compatible with the CGI script.
; Your code should analyze the data it is receiving, and provide error-handling code to deal with problems. Error handling deals with improper or unexpected data that’s passed to the CGI script. It allows you to return messages informing the user that certain fields haven’t been filled out, or to ignore certain data.
; Wrapper programs and scripts can be used to enhance security when using CGI scripts.They can provide security checks, con- trol ownership of a CGI process, and allow users to run the scripts without compromising your Web server’s security.
Languages for Writing CGI Scripts
; A compiled CGI program would be written in a language like C, C++, or Visual Basic.With this type of program, the source code must first be run through a compiler program.The com- piler converts the source code into machine language that the computer on which the program is run can understand. Once compiled, the program then has the ability to be executed. ; An interpreted language combines compilation and execution.
When a user requests a script’s functionality, it is run through a program called an interpreter, which compiles it and executes it. For example, when you run a Perl script, it is compiled every time the program is executed.
; One issue with Unix shell programs is that you are more lim- ited in controlling user input and other security issues than in other languages.
; Perl has become a common method of creating CGI scripts. While a good choice for new programmers, it should not be mistaken as being a poor choice for complex programs. One problem with Perl is that, because it is interpreted, it is compiled and executed as one step each time the program is called. For this reason, there is greater possibility that bad data submitted by a user will be included as part of the code.
; C or C++ are another option. A common problem that occurs when Internet programs are created with C or C++ is buffer overflows. A way to avoid this problem is to use the MAXSIZE attribute for any fields used on a form.This will limit the amount of data a user can enter through normal means.
Advantages of Using CGI Scripts
; CGI is beneficial because all code is run on the server.
JavaScript, ActiveX components, Java applets, and other client- side scripts and programs all run on the user’s computer.This makes it possible for adept hackers to make use of this informa- tion and attack your site.
; With CGI, you can protect yourself by controlling permissions to various directories, hiding code within compiled programs, and other methods.
Rules for Writing Secure CGI Scripts
; Limit user interaction. ; Don’t trust input from users.
; Don’t use GET to send sensitive data.
; Never include sensitive information in a script. ; Never give more access than is absolutely necessary.
; Program on a computer other than the Web server, and ensure that temporary files and backup files of your scripts are removed from the server before your site goes live.
; Double-check the source code of any third-party CGI programs. ; Test your CGI script or program.
Q:Which is the best language for writing CGI scripts/programs?
A:There is no one “best” language for writing CGI scripts and pro- grams, although programmers who use a specific language will argue this. Shell scripts are generally used for small programs where secu- rity isn’t an issue, while larger, more complex programs will use lan- guages such as C, C++, or Visual Basic.The most common language for writing CGI scripts is Perl.
Q:When I’m writing my CGI program, do I need to worry about the type of browser a user is using to visit my site?
A: Generally, no. CGI programs run on the server side, so no code actu- ally runs on the client’s computer. Because the CGI program runs on the server, it won’t matter what type of browser a user is running.
Q: I only know older programming languages, and don’t know Perl, C, C++, or Visual Basic. I don’t have the time to learn new languages. What can I do?
A:Any programming language that can work with CGI can be used to create CGI programs. For example, if your Web server ran on a Unix system, then any application that uses standard input and standard output could be used to create a CGI program.
Q: Can I use client-side and server-side scripting for my Web site, or am I limited to one or the other?
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the
A: Client-side and server-side scripting can both be used on a site. In fact, you can use client-side and server-side scripting together for your program.There are a number of JavaScripts that check data before it is submitted to a CGI program. However, it is best if your CGI program checks the data it receives for security reasons. In addi- tion, Java applets or ActiveX components can be used as a user inter- face, and pass the data to the Web server for processing by your CGI program.
Q: My company doesn’t run its own Web server and uses an Internet service provider.The ISP doesn’t allow CGI scripts.What can I do?
A: If your ISP is firmly opposed to its customers running their own scripts, then you have few options. Many ISPs don’t allow CGI pro- grams, because security holes in them can impact the sites belonging to their other customers.You can move your site to another ISP, or get your own Web server.