A 2001 SANS whitepaper by Suhari Jawi titled “Insecurity of Inputs to CGI Program“, explores the security issues around CGI programs.
What is CGI?
CGI, or Common Gateway Interface, is a technology model that allows for the interaction of client (web browser) request to a web server by acting as a liaison between the web server and the internal operating system.
Security Concerns with the CGI-
1. Buffer Overflow bugs in CGI source code – can be effectively exploited and malicious code can be executed
2. Unfiltered Metacharacters – Characters such as “<“, “>”, “/”, “\”, “&” “|”, have special meanings in programming languages. If the input is not sanitized, the CGI can be compromised with injection attacks.
3. Invalid States – Programming errors in creating, changing, and maintaining states via cookies, environmental variables can be successfully exploited.
Some tools that help check for CGI vulnerabilities are RFProxy, AppScan, HTTPush, and Achilles.
It is important for security professional to utilize these tools and minimize risks in the CGI environment before hackers use the same tools to exploit them.