Written by Chan Jin Hao

What is a CGI?

Not Computer Generated Imagery, but cgi pages you see when you visit webpages.

CGI stands for Common Gateway Interface, and it acts as the Controller in the MVC framework. To give a complete picture, in a web application, the Model is the database, the View is the front-end HTML/CSS, and the Controller is the logic that processes user interaction

The CGI program takes in input from the user via the webpage, does the processing, and outputs information back to the front-end.

CGI is a generic name for any program, or script that runs at the back end to process the user input. This program can be written in languages such as Python, C or C++. An example of a Python CGI is:

http://www.test.com/cgi-bin/hello.py?key1=value1&key2=value2

Programming vs CGI Programming

Most of us are familiar and have experience with the languages mentioned above, but there is a difference between conventional programming with those languages, and programming to conform to CGI standard.

Below shows a code snippet of CGI programming in Python:

#!/usr/bin/python

print "Content-type:text/html\r\n\r\n"
print '<html>'
print '<head>'
print '<title>Hello Word - First CGI Program</title>'
print '</head>'
print '<body>'
print '<h2>Hello Word! This is my first CGI program</h2>'
print '</body>'
print '</html>'

There are two main differences here:

  1. The CGI program must start with a MIME-type header.
    • MIME, which stands for Multipurpose Internet Mail Extensions is a HTTP header which tells the client what sort of content it’s receiving.
    • print "Content-type:text/html\r\n\r\n"
  2. The content of the output must be in HTML format, or other formats that the browser is able to display

CGI Environment Variables

When programming a CGI program, there are some environment variables that are standard across all CGI, regardless of languages used.

Some examples of these are:

HTTP_COOKIEThe visitor’s cookie, if one is set
HTTP_HOSTThe hostname of the page being attempted
HTTP_REFERERThe URL of the page that called your program
HTTP_USER_AGENTThe browser type of the visitor

You can see the full list of CGI environment variables by searching it online.

CGI Vulnerabilities

Most CGI vulnerabilities lie in the fast that the inputs from the users are not properly checked and parsed. As a result, the user can perform unintended actions on your server such as directory traversal or RCE.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s