|
CGI Security Issues
|
By Richard Lowe
[Hits: 27683]
|
|
When you are creating or using CGI routines, you must be carefulto keep good coding techniques, security and just plain commonsense in mind. Sometimes you can do things that cause seriousunexpected site effects. In fact, sometimes you may think youare making your CGI routine secure only to find out it justdoesn't work like you expected.
A good example of a this phenomenon is a simple CGI routinecalled FormMail. This was written a number of years ago by afellow named Matt Wright to allow data to be entered in a form,then emailed to a recipient.
I first looked at FormMail because I wanted to cut down on spam.You see, my web site had my email address embedded on everysingle page. I thought this was a good idea to allow people tosend me an email message when they wanted to contact me. Infact, all of the web design books indicate that all good websites include an email link of this kind.
I soon discovered, much to my horror, that spammers use specialprograms called Spam Harvesters to scan websites for emailaddresses. They add these addresses to their mailing lists andresell them over and over. The result is a large increase in theamount of spam that I received.
After much research, I came to the conclusion that the bestdefense against spam robots was to simply stop including myemail address on my web sites. This left the question of how toallow users to contact me when they had questions or comments.
The answer is simple - use a form. The advantage is that theemail address is hidden within the CGI routine or a text fileand it is simply not possible for a spam harvester to pick itup. As long as the email address is coded into the CGI routineor in a database you are relatively secure.
However, many people use FormMail in a different way. Let's sayyou want to allow your visitors to "tell a friend" about yoursite. So you include a form which allows visitors to enter theirmessage and a target email address. If you are not very carefulyou could find that you have set yourself up as a spam relay.
You see, spammers are always looking for ways to hide theiridentity. One common method is to search the internet foroccurrences of FormMail. Sometimes I wonder if spammers rubtheir hands together in glee when they find sites which useFormMail with user-entered email addresses.
The spammer essentially "hijacks" the FormMail CGI routine andcauses it to send out emails as fast and furiously as they can.I know of one instance where a spammer sent over one millionemails in a single day before someone noticed that their webserver was going very slowly (I wonder how long it would havetaken had the spammer tried limiting the load on the server soit didn't show up as much). What happens here is very simple.The FormMail CGI routine is simply called remotely by thespammer, once for each spam email that he wants to send.
Ah, you say, but you could code the FormMail routine to checkthe referrer field. This would surely prevent a spammer fromusing it remotely, as his referrer would not be the website URL.
Sorry, no. The referrer field is actually a text string passedto the CGI routine by the browser. The spammer is most likelyusing a program which appears, to your web site, to be justanother browser. Since the spammer controls the program he cancode it to send the CGI routine whatever value he wants for thereferrer field.
As it turns out, it is very difficult to make a CGI routine suchas FormMail even relatively secure, and it may be impossible tomake it bullet-proof. All you can do is check enough things andput in delays here and there to slow down and discouragespammers.
You could, for example, only allow one posting per IP addressper hour. You could also check referrer just to block out themore ignorant spammers. I suppose you could count the number oftimes the routine is called, and have it just stop working aftera certain amount. For example, only allow one hundred calls perday from anywhere.
The point here is not to tear apart the FormMail routine. Thegoal is to show how difficult it can be to make anything secureon the internet, and demonstrate that some assumptions (that thereferrer field is a valid check) may not be true in all cases.
What do you do? Before you implement any CGI or similarinterface, be sure and do a little research to be sure youcompletely understand and handle the ramifications. If you don'tdo this, you may find yourself the victim of a hacker or spammer.
|
|
|
|
|
|
