Looking For Absolute Beginner's Guide To CGI Security

CLYMB posted this at 06:34 — 22nd June 2000.

They have: 4 posts

Joined: Jun 2000

We are looking for a quick, common sense guide for our users regarding the security issues of installing CGI scripts.

For the moment we are focusing primarily on Unix/PERL.

We have looked over most of the tutorials, especially L. D. Stein's, but we need one from even more of a beginner's perspective.

Any one can go to CGI Resources and find a simple free script to load, so long as they know how to ftp and have access to their server.

Most of the security articles are written a bit over the head for someone who hasn't a clue about CGI's other than upload, do a little editing and CHMOD.

Maybe a quick little FAQ from an absolute beginner's perspective:

Why are CGI's so dangerous?
(In SIMPLE terms how someone can get in and hack your information.)

What questions should you ask your web host to determine how secure your scripts are?
(Do they implement SSI, etc.)

Are there ways to secure scripts that you load to make them safer?
(Are there any commands they could paste into the code that would not affect it, but still improve security.)

And maybe some others you could think of.

Again, this is focused mainly towards absolute beginners trying to load scripts without a clue.

Those who have advanced to the point of writing code will be more than capable enough to understand existing articles.

Anyone willing to help us write this up would get full credit for the article, plus a link back to your site. (Any referred site must meet certain guidelines, email for details.)

If you are interested, and would like to see the mainpage of our site to get an idea of what we are doing, please email me and I will send you the URL.

Thanks

Greg

[This message has been edited by CLYMB (edited 22 June 2000).]

Orpheus posted this at 09:36 — 22nd June 2000.

They have: 568 posts

Joined: Nov 1999

I think it would be nearly impssible to write a simple guide to explain CGI security to someome who doesn't even know how to CHMOD a file.

Someonce once told me (i really like this quote btw) "It's not Perl thats insecure it's your code."

You may want to put that up just to get peoples attention.

Do you need this guide for people who are writing their own programs or installing other peoples programs to the server?

CLYMB posted this at 07:04 — 23rd June 2000.

They have: 4 posts

Joined: Jun 2000

Orpheus,

Thank You for your reply.

This would be for those who can chmod a file. There are a lot of "webmasters" who have learned enough about CGI to find what they are looking for, edit the few files according to the instrux, ftp it to their server, then chmod.

This is the group I am targeting. Anyone who knows how to write CGI scripts should be more than capable of understanding the CGI security guides that are already available.

Basically, you only need to learn a few steps to be able to load a free CGI program onto your server. But these people do not know nearly enough to understand the security risks involved with some of the programs they are loading.

They either don't take the time to read the current security guides, or the terminology or presentation is just a bit over their heads.

We are just looking for a short but sweet guide in plain english, telling them why they need to think twice before uploading a script.

As an example: we can give just a few simple step by step instrux on how to load either a formmail or off site search engine to someone's site.

They are very simple steps, anybody who can read and has access to their server could implement these scripts.

But this does nothing to address the security issue.

We think it would be irresponsible to explain how to load a script without providing all of the necessary cautions as well.

We could write it up ourselves, and probably will if no one can help, but we trying to offer the best advice and CGI code is not our specialty, so were looking for outside help if possible.

Thanks,

Greg

[This message has been edited by CLYMB (edited 25 June 2000).]