CGI Vulnerabilities
by Aleksandar Stancin - for Help Net Security
Everybody and their mom uses cgi-bin's in some way or another on their web pages, or on their web server, aware or not of that fact. Today's not so hot topic is cgi-bin vulnerabilites. In the following couple of infite text lines below, I'll explain the cgi-bin concept, and some little mischevious naughty things you can accomplish misusing it. Notice that I'm not encouraging any sort of malvolent activites, nor will take any reponsibility for your actions. This article is written for educational purposes only. Let's pretend that we don't know anything about CGI's, so...

The interface in-your-face

CGI stands for Common Gateway Interface, which is a standard for a gateway, or interface, between clients and web servers. It allows interaction between them, transparent and smooth. Web pages per se are static, plain HTML, sometimes rather messy, but readable text files. Now, CGI's are scripts, or small programs, which allow you to make your web pages dynamic, and add various nifty things to them. A CGI program/script can be written in any language that allows it to be executed on the system, such as: C/C++, Fortran, PERL, TCL, Any Unix shell, Visual Basic, AppleScript... It just depends what you have available on your system. Usually, CGI's are located in the /cgi-bin folder of your web server, and if you have CGI's which are not only shell scripts, you also might have a /cgi-src folder. Of course, these may vary, so please don't think it is carved in the stone just because I said so...

CGI's are emmbeded into HTML pages via a simple link tag, ie. a CGI script incorporated into your page might look something like this:

where is just a simple bash script, located in the /cgi-bin folder. What it does, well, that's a different story, and completly irrelevant to our little debate. :)

For what will I use CGI's one might wonder, and to that question the answer is fairly simple, but to make it even more simplified, I will elaborate it on an example. Imagine you have some sort of a database on your web, and you need to make it searchable to the user surfing the web. The best way to do this is via CGI scripts. You need a way to interact and transmit information between your host, and the user's web browser and that's what the common gateway interface or CGI does. It serves as a gateway between the user and your web. It (CGI script) will be executed by the web daemon to transmit query to the database and send results back to the user, via the same daemon. Kinda of a third party involvment. This is the simplest example of how to use CGI's. Implementation is easy, and the possibilites are limited only by your immagination. Make sure your CGI's are as simple as possible and that they do not take long time to execute. You can read more about the CGI concept and other CGI stuff here.

Your system is the world's oyster

As written above, CGI's are programs or scripts, that serve as a gateway between your web and the end user. And, of course, CGI's are executables which means they run on your system. Now, the idea of having anyone accessing your web and running mayhem with executables on your system looks a bit frightening, does it not?

Most security issues that arise from usage of CGI's are not directly caused by CGI's but with the way certain standards are set by the HTTP protocol, and CGI's only allow access to these security holes. Specifications of the CGI interface enable reading files on the system, shell access, and accessing file structure on the hosts.

Naturally, malicious CGI's exist, and can be set up, but I will not disscuss them, instead I will focus on the damage that can be done via your CGI's on your own host, not on the user surfing your web.


The Software Assurance Marketplace: A response to a challenging problem

Posted on 20 October 2014.  |  The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has recognized how critical the state of software security is to the DHS mission.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Tue, Oct 21st