CGI Scripts :
An acronym for Common Gateway Interface, CGI is an interface that enables you to run external programs on your server for performing specific functions.
CGI is executed in real-time, it output dynamic information instantly so CGI can be considered as a way of interfacing your custom programs with HTTP or WWW servers, so that a server can offer interactive sites instead of just static text and images. CGI programs can be written in Perl, Java, Visual Basic and C.
How it works :
The Common Gateway Interface (CGI) allows information to pass between a Web site’s server and a program usually written in Perl or Java that lives in the “CGI bin” on that server. You send information from your browser to the server; the server passes the information through the CGI gateway to the Perl/Java program; the Perl/Java program does its thing to the information (perhaps conducting a query of a database and creating an HTML page that lists the results), then sends the information back through the CGI gateway to the server, and the server returns the information to your browser.
Uploading CGI scripts :
All CGI programs must be uploaded to your cgi-bin directory. You should be sure to use ASCII mode when uploading Perl scripts.
Calling CGI scripts :
In your HTML documents, reference your CGI script using following path: http://www[DOT]yourdomain[DOT]com/cgi-bin/script.
Precautions to be taken while developing customized CGI scripts :
You should take atmost care while using CGI scripts as they area more vulnerable to attacks, a buggy CGI script can leak sufficient system information to compromise the host.
Quite a number of widely distributed CGI scripts contain known security holes. Many of the ones that are identified here have since been caught and fixed, but if you are running an older version of the script you may still be vulnerable. Get rid of it and obtain the latest version. If there is no fix for a script, just get rid of it.
While you are developing custom CGI scripts avoid
*) Giving out too much information about your site and server host. ( eg : For example, the “finger” command often prints out the physical path to the fingered user’s home directory and scripts that invoke finger leak this information )
*) If you’re coding using some compiled language like C, avoid making assumptions about the size of user input.
(While coding if you made the assumption that user input provided by a POST request will never exceed the size of the static input buffer then a wily hacker can break this type of program by providing input many times that size. The buffer overflows and crashes the program; in some circumstances the crash can be exploited by the hacker to execute commands remotely.