CGI Security

From: Rathanot Saye <lisgera_at_yahoo.com>
Date: Tue 1 Aug 2000 07:05:40 -0700 (PDT)

In discussing recommend-to-a-friend capabilities
recently, freeware CGI scripts were suggested as an
alternative to advertising-heavy and spam-inducing
third party approaches. I've found at least one
freeware script (Birdcast) fairly easy to modify so it
will accommodate our shopping cart. But I'm concerned
about security issues arising from the entry of
unexpected data by the visitor, whether maliciously or
accidentally. Specific concerns are access to our files
and possible misuse by spammers. As far as I can tell,
the script only checks to see that it's being run from
our domain, but I understand domains can be faked
easily by someone who knows how. To filter out all
"dangerous" characters would also reject some valid (if
odd) email addresses.

Maybe I'm overreacting, but CGI security concerns and
coding solutions are discussed at various links sites
linked to at:
http://www.go2net.com/people/paulp/cgi-security/ and
some concern seems to be valid. But although I can
follow the issues there, the actual solutions are WAY
over my head.

I've checked with a some recommended Perl/CGI
programming companies, but they're uninterested in
reviewing someone else's code and starting from scratch
would be prohibitive. Have written authors, but
(understandably with freeware) have not received a
reply.

1. How much should we be concerned about this issue,
with regard to something like "recommend-to-a-friend"
(or, I suppose, any CGI-emailed form accepting visitor
input), particularly at a site that accepts user's
credit cards (card data is encrypted, but I still
wouldn't want anyone to get that file)?

2. What, if any, sources are there for an affordable
solution?





Received on Tue Aug 01 2000 - 09:05:40 CDT