
P is for Practical
	PerlMonks

Re: Essential CGI Security Practices

by footpad (Abbot)

on Feb 03, 2002 at 01:20 UTC ( [id://143034]=note: print w/replies, xml )

Need Help??

This is an archived low-energy page for bots and other anonmyous visitors. Please sign up if you are a human and want to interact.

in reply to Essential CGI Security Practices

And I would add:

Don't accept more than is absolutely necessary. Example: MSA's formmail.pl can be used as a spam relay because it accepts recipient as a CGI parameter. Don't do that.

Only accept the minimum number of parameters you need.
Don't trust anything from the client--period. I've seen cases where CGI scripts claim to be secure because they check REFERER, which is trivial to spoof.
Don't ever use a script that tells you to chmod a publically accessible file to 777 (Example: here).
Be highly suspicious of code that's been updated one or fewer times in the last several years. (Theory: No one was defending against DoS attacks in 1996.)

Not that I'm picking on anyone, of course. However, I have been helping a buddy run down various spammers that are playing on his system. Guess where the currently identified problems have come from?

--f

Comment on Re: Essential CGI Security Practices

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://143034]
help

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Notices^?

	• hippo	‥ epoptai's answer Re: how do I set a cookie and redirect was blessed by hippo!
	• erzuuli	‥ Anonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.