How secure are CGI based web apps?

Question

A very well known major drawback of using CGI is poor webserver performance. But how secure are CGI (mainly C/C++) based applications? Are there any major security holes in CGI architecture built on C/C++?

I would like to know some real life implementations of CGI based web apps/web sites. One that I know of is javaranch.com.

Answer 1

CGI is no more insecure than any other WSAPI. It's all about what the program does with the code. All CGI does is set environment variables and handles off to the program.

Answer 2

The major security hole I would see anywhere, C/C++ included, would be not using a standard, open CGI library, not reading its documentation, and thinking you're secure anyway.

• don't re-invent the wheel. Use a CGI library. Some languages have this built-in (PHP probably does), others have it included (Perl comes to mind), others need you to grab it from elsewhere (C/C++). Make sure you know what it is, and that you use it. Do not try to implement it yourself. If you have to ask about security, you, like me, are not qualified to write it.
• Read the documentation. If you're using a well-established library, there will be documentation on security issues and what you can do to avoid them.
• Do not ever assume you're secure. I'm quite sure I'm not secure, even though I've followed all the rules in the CGI library for Perl, and the rules in the database interface library, etc. But I still assume I'm not secure, and keep it on the forefront of my mind when doing anything there. Should I ever be an expert on security, maybe I'll change my assumption. Not sure yet.

Security is always multi-faceted, and always incomplete. There are holes being found in all sorts of software all the time - software that may have been previously thought secure. And now we have many more best-practices for security than we did, say, 15 years ago. And we have SELinux for more security.

Of course, the question is - do you have enough security for your app? Does a reasonable effort get you a reasonable level of security? Of course, that's why I don't use C/C++, but I use Perl instead. It takes a lot less effort to ensure I don't overwrite memory in Perl than it does in C++. That's a level of security right there with no actual work involved.

Answer 3

Many sites are CGI based. Many PHP sites that are located on hosting are run in CGI mode - mod_php is hard to used in shared environment - no suid.

In general, running as CGI has lower performance, but better for security - you have no access to webserver internals (as with mod_perl and mod_php) so using vulnerabilities is harder. If you use cgi-bin, you non-execute files are not visible (a common bug of PHP programmers is that they have libraries with extension like .inc so source is shown when this file is requested directly).

Answer 4

Perl's taint-checking mode provides a marvelous way to increase security.