Practice Safe Scripting

The Problem:
When installed correctly, CGI scripts provide great functionality for web sites, enabling shopping cart programs, database access and dynamically generated displays of information. But incorrectly installed or outdated CGI scripts are an open invitation to hackers and are a common way web servers are compromised.

Rule One: Finish the installation. It’s tempting to ignore the last step in an installation script. You know the one. It’s where the user is told to change the permissions on this folder or that folder and to remove the install script. After all, your shopping cart program or image gallery is working and it’s much more fun to begin working with that instead of finishing those mundane cleanup tasks. But – this is often how hackers get in. Because the install script is still there and because the folders often remain writeable by anyone, script kiddies can find their way in.

Rule Two: Don’t put “Powered by” on your home page. Yes, it’s nice to give credit where credit is due, but that just makes it easier for the hackers who use search engines to look for web sites using CGI scripts with known vulnerabilities. If you insist on displaying the name of the software then keep the version number vague.

Rule Three: Keep your CGI scripts up-to-date. There is a reason developers release new versions of their scripts. Bugs are fixed, improvements are made and most importantly, security holes are patched. Running an out-of-date CGI script is an invitation to hackers to attack your web site. Be responsible and help Hurricane Electric keep your web site safe.