Sourceofarticles.com Menu

Newest Articles
Most Viewed Articles
Sourceofarticles.com RSS
Submit Article
Login
Signup

Search the articles

Articles Main Categories

Advice
Animals
Automobiles
Business
Career
Communications
Computer Programming
Computers
Entertainment
Environment
Family
Fashion
Finance
Food
Health & Medical
Home & Garden
Humor
Internet Business
Internet Marketing
Legal
Leisure & Recreation
Marketing
Other
Politics
Reference & Education
Religion
Self Improvement
Sports
Technology & Science
Travel
Writing

Subscribe

Receive alert message from us when new articles submitted to our site for free.

Syndicate

Related Products

The Marriage Game by Fern Michaels (2007)

US $0.75 (0 Bid)
End Date: Friday Nov-21-2008 11:03:19 PST
Buy It Now for only: US $1.25
Bid now | Buy it now | Add to watch list

marriage scrapbooking embellishment

US $0.99 (0 Bid)
End Date: Friday Nov-21-2008 11:21:03 PST
Bid now | Add to watch list

Tuya's Marriage 57th Berlin Film Best China 2006 DVD

US $6.99
End Date: Friday Nov-21-2008 11:29:40 PST
Buy It Now for only: US $6.99
Buy it now | Add to watch list

The Pursuit of Marriage by Victoria Alexander 2004

US $0.99 (0 Bid)
End Date: Friday Nov-21-2008 11:47:50 PST
Buy It Now for only: US $1.29
Bid now | Buy it now | Add to watch list

ANGEL OF ALASKA HEX REMOVALS - MARRIAGE BABY BLESSINGS

US $14.99 (0 Bid)
End Date: Friday Nov-21-2008 11:56:24 PST
Buy It Now for only: US $22.99
Bid now | Buy it now | Add to watch list

The Marriage Game by Fern Michaels (2007)

US $2.99 (0 Bid)
End Date: Friday Nov-21-2008 12:03:09 PST
Bid now | Add to watch list

GAY LESBIAN Rainbow MARRIAGE is LOVE BUMPER CAR STICKER

US $1.49 (0 Bid)
End Date: Friday Nov-21-2008 12:09:24 PST
Buy It Now for only: US $1.99
Bid now | Buy it now | Add to watch list

Fern Michaels "The Marriage Game" Unabridged CD's

US $3.99 (2 Bids)
End Date: Friday Nov-21-2008 12:12:49 PST
Bid now | Add to watch list

Elvis Presley's Last Will /Marriage Cert.+3 Bonuses

US $6.50 (1 Bid)
End Date: Friday Nov-21-2008 12:15:49 PST
Bid now | Add to watch list

FRAMED PRINT - MARRIAGE SAILOR & MERMAID

US $19.99 (0 Bid)
End Date: Friday Nov-21-2008 12:29:51 PST
Buy It Now for only: US $24.99
Bid now | Buy it now | Add to watch list

Buck Wear Hunting Char T-Shirt Interrupt Marriage - L

US $13.99
End Date: Friday Nov-21-2008 12:30:41 PST
Buy It Now for only: US $13.99
Buy it now | Add to watch list

Home::CGI

CGI Security Issues

Author : Richard Lowe

When you are creating or using CGI routines, you must be careful
to keep good coding techniques, security and just plain common
sense in mind. Sometimes you can do things that cause serious
unexpected site effects. In fact, sometimes you may think you
are making your CGI routine secure only to find out it just
doesn't work like you expected.

A good example of a this phenomenon is a simple CGI routine
called FormMail. This was written a number of years ago by a
fellow named Matt Wright to allow data to be entered in a form,
then emailed to a recipient.

I first looked at FormMail because I wanted to cut down on spam.
You see, my web site had my email address embedded on every
single page. I thought this was a good idea to allow people to
send me an email message when they wanted to contact me. In
fact, all of the web design books indicate that all good web
sites include an email link of this kind.

I soon discovered, much to my horror, that spammers use special
programs called Spam Harvesters to scan websites for email
addresses. They add these addresses to their mailing lists and
resell them over and over. The result is a large increase in the
amount of spam that I received.

After much research, I came to the conclusion that the best
defense against spam robots was to simply stop including my
email address on my web sites. This left the question of how to
allow users to contact me when they had questions or comments.

The answer is simple - use a form. The advantage is that the
email address is hidden within the CGI routine or a text file
and it is simply not possible for a spam harvester to pick it
up. As long as the email address is coded into the CGI routine
or in a database you are relatively secure.

However, many people use FormMail in a different way. Let's say
you want to allow your visitors to "tell a friend" about your
site. So you include a form which allows visitors to enter their
message and a target email address. If you are not very careful
you could find that you have set yourself up as a spam relay.

You see, spammers are always looking for ways to hide their
identity. One common method is to search the internet for
occurrences of FormMail. Sometimes I wonder if spammers rub
their hands together in glee when they find sites which use
FormMail with user-entered email addresses.

The spammer essentially "hijacks" the FormMail CGI routine and
causes it to send out emails as fast and furiously as they can.
I know of one instance where a spammer sent over one million
emails in a single day before someone noticed that their web
server was going very slowly (I wonder how long it would have
taken had the spammer tried limiting the load on the server so
it didn't show up as much). What happens here is very simple.
The FormMail CGI routine is simply called remotely by the
spammer, once for each spam email that he wants to send.

Ah, you say, but you could code the FormMail routine to check
the referrer field. This would surely prevent a spammer from
using it remotely, as his referrer would not be the website URL.

Sorry, no. The referrer field is actually a text string passed
to the CGI routine by the browser. The spammer is most likely
using a program which appears, to your web site, to be just
another browser. Since the spammer controls the program he can
code it to send the CGI routine whatever value he wants for the
referrer field.

As it turns out, it is very difficult to make a CGI routine such
as FormMail even relatively secure, and it may be impossible to
make it bullet-proof. All you can do is check enough things and
put in delays here and there to slow down and discourage
spammers.

You could, for example, only allow one posting per IP address
per hour. You could also check referrer just to block out the
more ignorant spammers. I suppose you could count the number of
times the routine is called, and have it just stop working after
a certain amount. For example, only allow one hundred calls per
day from anywhere.

The point here is not to tear apart the FormMail routine. The
goal is to show how difficult it can be to make anything secure
on the internet, and demonstrate that some assumptions (that the
referrer field is a valid check) may not be true in all cases.

What do you do? Before you implement any CGI or similar
interface, be sure and do a little research to be sure you
completely understand and handle the ramifications. If you don't
do this, you may find yourself the victim of a hacker or spammer.

More related feeds

CGI+Security+Issueshttp://blogsearch.google.com/blogsearch_feeds?hl=en&q=CGI+Security+Issues&ui=blg&ie=utf-8&num=10&output=rssArticle: Be aware of SOA application security issues
Article: Be aware of SOA application security issues. "Extensible Markup Language (XML), Web services, and service-oriented architecture (SOA) are the latest craze in the software development world. These buzzwords burn particularly ...

RedHat: Moderate: thunderbird security update - The Community's ...
Updated thunderbird packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ...

SANS Institute - @RISK: The Consensus Security Vulnerability Alert
Safari is exposed to multiple security issues. Attackers may exploit these issues to execute arbitrary code or obtain sensitive information. Safari versions prior to 3.2 running on Apple Mac OS X 10.4.11 and 10.5.5, Microsoft Windows XP ...

» Packet Storm Security Last 20
... to ensure ntpd resetting the clock does not interfere with Dovecot operation. This package corrects the above-noted bugs and security issues by upgrading to the latest dovecot 1.1.6, which also provides additional bug fixes. ...

» Packet Storm Security Last 20
In addition, the fixes for CVE-2005-0706 were not applied to newer libcdaudio packages as shipped with Mandriva Linux, so the patch to fix that issue has been applied to 2008.1 and 2009.0 (this was originally fixed in MDKSA-2005:075). ...

RHSA-2008:0972-01 Important: kernel security and bug fix update
1. Summary: Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red ...

Fyodor speculates on new TCP Flaw
I don't presume to tell people how to report vulnerabilities—disclosure has long been one of the most personal and political issues in the security community. So I let them decide for themselves. But I don't need to keep quiet if I ...

The Leading Source - American School Board Journal's Weblog
School safety and security -- online now. The December issue of ASBJ is online now. Read our coverage package on school safety and security. Senior Editor Naomi Dillons gives tips on how school leaders can keep their students safe ...

Slacky - The Italian Slackware Community - (SSA) libxml2
[slackware-security] libxml2 (SSA:2008-324-01) New libxml2 packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to fix security issues including a denial or service or the possible execution of arbitrary ...

Advisories | Mandriva
libcdaudio packages as shipped with Mandriva Linux, so the patch to fix that issue has been applied to 2008.1 and 2009.0 (this was originally fixed in MDKSA-2005:075). This issue is a buffer overflow flaw found by Joseph VanAndel. ...

CGI Security Issues

Related articles