Java Servlets   «Prev 

CGI requests

Problem with CGI scripts

The problem with CGI scripts is that each one presents an opportunity for exploitable bugs. CGI scripts should be written with care and attention since they are Internet servers or miniature servers. Unfortunately, for many Web authors, CGI scripts are their first encounter with network programming. CGI scripts can present security holes in two ways:
  1. They may intentionally or unintentionally leak information about the host system that will help hackers break in.
  2. Scripts that process remote user input, such as the contents of a form or a "searchable index" command, may be vulnerable to attacks in which the remote user tricks them into executing commands.
CGI scripts are potential security holes even though you run your server as "nobody". A subverted CGI script running as noone still has enough privileges to mail out the system password file, examine the network information maps, or launch a log-in session on a high numbered port (it just needs to execute a few commands in Perl to accomplish this).
Even if your server runs in a chroot directory, a incorrectly written CGI script can leak sufficient system information to compromise the host.

Java Servlets
Here is how the Web Server handles CGI requests

Browser sends a request to the server

A new process is spawned

Perl interpreter is started

Another user is at this site at the same time

This user makes a request to run the same CGI scripts

Another new process is spawned

A new copy of the Perl interpreter is started.

The first CGI proces returns HTML to the user

CGI Program and Perl interpreter are closed

The second CGI process returns HTML to the user

The CGI program and Perl interpreter are closed.