| |
CGI Security Issues
By Richard Lowe
When you are creating or using CGI routines, you must be careful to keep
good coding techniques, security and just plain common sense in mind.
Sometimes you can do things that cause serious unexpected site effects. In
fact, sometimes you may think you are making your CGI routine secure only
to find out it just doesn't work like you expected.
A good example of a this phenomenon is a simple CGI routine called FormMail.
This was written a number of years ago by a fellow named Matt Wright to
allow data to be entered in a form, then emailed to a recipient.
I first looked at FormMail because I wanted to cut down on spam. You see, my
web site had my email address embedded on every single page. I thought this
was a good idea to allow people to send me an email message when they wanted
to contact me. In fact, all of the web design books indicate that all good
web sites include an email link of this kind.
I soon discovered, much to my horror, that spammers use special programs
called Spam Harvesters to scan websites for email addresses. They add these
addresses to their mailing lists and resell them over and over. The result
is a large increase in the amount of spam that I received.
After much research, I came to the conclusion that the best defense against
spam robots was to simply stop including my email address on my web sites.
This left the question of how to allow users to contact me when they had
questions or comments.
The answer is simple - use a form. The advantage is that the email address
is hidden within the CGI routine or a text file and it is simply not
possible for a spam harvester to pick it up. As long as the email address is
coded into the CGI routine or in a database you are relatively secure.
However, many people use FormMail in a different way. Let's say you want to
allow your visitors to "tell a friend" about your site. So you include a
form which allows visitors to enter their message and a target email
address. If you are not very careful you could find that you have set
yourself up as a spam relay.
You see, spammers are always looking for ways to hide their identity. One
common method is to search the internet for occurrences of FormMail.
Sometimes I wonder if spammers rub their hands together in glee when they
find sites which use FormMail with user-entered email addresses.
The spammer essentially "hijacks" the FormMail CGI routine and causes it to
send out emails as fast and furiously as they can. I know of one instance
where a spammer sent over one million emails in a single day before someone
noticed that their web server was going very slowly (I wonder how long it
would have taken had the spammer tried limiting the load on the server so it
didn't show up as much).
What happens here is very simple. The FormMail CGI routine is simply called
remotely by the spammer, once for each spam email that he wants to send.
Ah, you say, but you could code the FormMail routine to check the referrer
field. This would surely prevent a spammer from using it remotely, as his
referrer would not be the website URL.
Sorry, no. The referrer field is actually a text string passed to the CGI
routine by the browser. The spammer is most likely using a program which
appears, to your web site, to be just another browser. Since the spammer
controls the program he can code it to send the CGI routine whatever value
he wants for the referrer field.
As it turns out, it is very difficult to make a CGI routine such as FormMail
even relatively secure, and it may be impossible to make it bullet-proof.
All you can do is check enough things and put in delays here and there to
slow down and discourage spammers.
You could, for example, only allow one posting per IP address per hour. You
could also check referrer just to block out the more ignorant spammers. I
suppose you could count the number of times the routine is called, and have
it just stop working after a certain amount. For example, only allow one
hundred calls per day from anywhere.
The point here is not to tear apart the FormMail routine. The goal is to
show how difficult it can be to make anything secure on the internet, and
demonstrate that some assumptions (that the referrer field is a valid check)
may not be true in all cases.
What do you do? Before you implement any CGI or similar interface, be sure
and do a little research to be sure you completely understand and handle
the ramifications. If you don't do this, you may find yourself the victim of
a hacker or spammer.
About the Author
Richard Lowe Jr. is the webmaster of Internet Tips And Secrets
at http://www.internet-tips.net - Visit our website any time to
read over 1,000 complete FREE articles about how to improve your
internet profits, enjoyment and knowledge.
Article Source: http://www.simplysearch4it.com/article/682.html
| If you wish to add the above article to your website or newsletters then please include the "Article Source: http://www.simplysearch4it.com/article/682.html" as shown above and make it hyperlinked. |
| Some other articles by Richard Lowe | Making an offer on an Irish Property
More often than not, First Time Buyer Ireland couples/singles find it very difficult to obtain suitable mortgage offers. However, after you pass the mortgage loan toil, the next issue on the inventory is the making ...
Ugly people – more than a joke
We can think long and hard about what makes us humans. The truth of the matter is that we are not perfect and we all have our own ...
Ugly men and ugly women – ugly on the inside/outside?
The Internet is one of the most amazing things ever invented. It can offer us all the info we need and much more. The online world can be a lot of fun and today we ...
Do ugly women feel the same as ugly men?
There have been a lot of research studies made about ugly people. When I say ugly people I don't just mean ugly men, but also ugly women, ...
Ugly women and men facing the issue of beauty
From ugliness to beauty – nothing can be more representative than examples. If you look it up on the Internet, you'll see just how difficult it is for people ...
Ugly people and charisma
We are sure that the idea of ugly women who nonetheless possess unbelievable, charming and persuasive powers is not new to your mind. And this doesn't go true for women exclusively, but for ugly men ...
|
|
| |
|
|
|
