Everybody and their mom uses cgi-bin's in some way or another on their web pages, or on their web server, aware or not of that fact. Today's not so hot topic is cgi-bin vulnerabilites. In the following couple of infite text lines below, I'll explain the cgi-bin concept, and some little mischevious naughty things you can accomplish misusing it. Notice that I'm not encouraging any sort of malvolent activites, nor will take any reponsibility for your actions. This article is written for educational purposes only. Let's pretend that we don't know anything about CGI's, so...

The interface in-your-face

CGI stands for Common Gateway Interface, which is a standard for a gateway, or interface, between clients and web servers. It allows interaction between them, transparent and smooth. Web pages per se are static, plain HTML, sometimes rather messy, but readable text files. Now, CGI's are scripts, or small programs, which allow you to make your web pages dynamic, and add various nifty things to them. A CGI program/script can be written in any language that allows it to be executed on the system, such as: C/C++, Fortran, PERL, TCL, Any Unix shell, Visual Basic, AppleScript... It just depends what you have available on your system. Usually, CGI's are located in the /cgi-bin folder of your web server, and if you have CGI's which are not only shell scripts, you also might have a /cgi-src folder. Of course, these may vary, so please don't think it is carved in the stone just because I said so...

CGI's are emmbeded into HTML pages via a simple link tag, ie. a CGI script incorporated into your page might look something like this:


picknose.sh

where picknose.sh is just a simple bash script, located in the /cgi-bin folder. What it does, well, that's a different story, and completly irrelevant to our little debate. :)

For what will I use CGI's one might wonder, and to that question the answer is fairly simple, but to make it even more simplified, I will elaborate it on an example. Imagine you have some sort of a database on your web, and you need to make it searchable to the user surfing the web. The best way to do this is via CGI scripts. You need a way to interact and transmit information between your host, and the user's web browser and that's what the common gateway interface or CGI does. It serves as a gateway between the user and your web. It (CGI script) will be executed by the web daemon to transmit query to the database and send results back to the user, via the same daemon. Kinda of a third party involvment. This is the simplest example of how to use CGI's. Implementation is easy, and the possibilites are limited only by your immagination. Make sure your CGI's are as simple as possible and that they do not take long time to execute. You can read more about the CGI concept and other CGI stuff here.