Automated, flashy, multimedia, multifunctional Web sites have become the norm. As the proliferation of high-speed connectivity for both home and business use expands, the programmatic content on Web sites will continue to grow. As an organization deploying its own Web services to clients, customers and the general public, ensuring that your Web site is safe for all is an important aspect of maintaining your reputation and profitability.
It is often more cost effective to purchase or download a pre-written CGI script rather than design, write and test your own using in-house programmers and expertise. However, this dollar savings can often cost you significantly in the area of security.
Not all CGI scripts are created equal. In fact, there are innumerable CGI scripts floating around the digital ether that leave open back doors onto your Web server, download viruses, Trojans and worms to visiting clients, or even execute malicious code using system-level privileges. Most of the unwanted activities of CGI scripts are nearly invisible and undetectable upon execution until after the damage is done.
If you must use pre-existing CGI scripts, then you must accept the responsibility to inspect every line of code to ensure it is safe and clean from unwanted system calls. Taking the time to inspect a script line by line will require just as much -- if not more -- internal programming expertise than writing something from scratch.
One specific item to look for are system calls to execute commands at system-level privileges. In ISAPI scripts, the command RevertToSelf() is used to perform just that. DUMPBIN (a tool from the Win32 API developers toolkit) can be used to quickly search an ISAPI script for this or other commands.
The bottom line is, if you don't inspect third-party CGI scripts, there is no end to the malicious problems it could perpetrate on your Web server and your visitors.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
