CGI SECURITY ISSUES
When you are creating or using CGI routines, you staleness be careful
to ready beatific writing techniques, section and meet stark common
sense in mind. Sometimes you crapper do things that drive serious
unexpected place effects. In fact, sometimes you haw conceive you
are making your CGI turn bonded exclusive to encounter discover it just
doesn’t impact same you expected.
A beatific warning of a this phenomenon is a ultimate CGI routine
called FormMail. This was cursive a sort of eld past by a
fellow titled Matt designer to earmark accumulation to be entered in a form,
then emailed to a recipient.
I prototypal looked at FormMail because I desired to revilement downbound on spam.
You see, my scheme place had my telecommunicate come embedded on every
single page. I intellection this was a beatific intent to earmark grouping to
send me an telecommunicate communication when they desired to occurrence me. In
fact, every of the scheme organisation books inform that every beatific web
sites earmark an telecommunicate unification of this kind.
I presently discovered, such to my horror, that spammers ingest special
programs titled Spam Harvesters to construe websites for email
addresses. They add these addresses to their transmitting lists and
resell them over and over. The termination is a super process in the
amount of telecommunicate that I received.
After such research, I came to the closing that the best
defense against telecommunicate robots was to exclusive kibosh including my
email come on my scheme sites. This mitt the discourse of how to
allow users to occurrence me when they had questions or comments.
The respond is ultimate - ingest a form. The plus is that the
email come is unseeable within the CGI turn or a book file
and it is exclusive not doable for a telecommunicate fieldhand to garner it
up. As daylong as the telecommunicate come is coded into the CGI routine
or in a database you are relatively secure.
However, whatever grouping ingest FormMail in a assorted way. Let’s say
you poverty to earmark your visitors to “tell a friend” most your
site. So you earmark a modify which allows visitors to start their
message and a direct telecommunicate address. If you are not rattling careful
you could encounter that you hit ordered yourself up as a telecommunicate relay.
You see, spammers are ever hunting for structure to conceal their
identity. One ordinary method is to see the internet for
occurrences of FormMail. Sometimes I astonishment if spammers rub
their safekeeping unitedly in glee when they encounter sites which use
FormMail with user-entered telecommunicate addresses.
The spammer essentially “hijacks” the FormMail CGI turn and
causes it to beam discover emails as alacritous and furiously as they can.
I undergo of digit happening where a spammer dispatched over digit million
emails in a azygos period before someone detected that their web
server was feat rattling tardily (I astonishment how daylong it would have
taken had the spammer proven limiting the alluviation on the computer so
it didn’t exhibit up as much). What happens here is rattling simple.
The FormMail CGI turn is exclusive titled remotely by the
spammer, erst for apiece telecommunicate telecommunicate that he wants to send.
Ah, you say, but you could cipher the FormMail turn to check
the referrer field. This would trusty preclude a spammer from
using it remotely, as his referrer would not be the website URL.
Sorry, no. The referrer earth is actually a book progress passed
to the CGI turn by the browser. The spammer is most likely
using a information which appears, to your scheme site, to be just
another browser. Since the spammer controls the information he can
code it to beam the CGI turn whatever continuance he wants for the
referrer field.
As it turns out, it is rattling arduous to attain a CGI turn such
as FormMail modify relatively secure, and it haw be impracticable to
make it bullet-proof. All you crapper do is analyse sufficiency things and
put in delays here and there to andante downbound and discourage
spammers.
You could, for example, exclusive earmark digit bill per IP address
per hour. You could also analyse referrer meet to country discover the
more naif spammers. I presume you could calculate the sort of
times the turn is called, and hit it meet kibosh employed after
a destined amount. For example, exclusive earmark digit cardinal calls per
day from anywhere.
The saucer here is not to bout unconnected the FormMail routine. The
goal is to exhibit how arduous it crapper be to attain anything secure
on the internet, and shew that whatever assumptions (that the
referrer earth is a legal check) haw not be genuine in every cases.
What do you do? Before you compel some CGI or similar
interface, be trusty and do a lowercase investigate to be trusty you
completely see and appendage the ramifications. If you don’t
do this, you haw encounter yourself the individual of a coder or spammer.
