CGI programs and C++-based plug-ins operate with relatively unfettered access to the server machine on which they execute (limited on Unix machines by the user account permissions of the web server process). This isn’t so bad for an isolated programmer developing for a single web server, but it’s a security nightmare for internet service providers (ISPs), corporations, schools, and everyone else running shared web servers.
For these sites, the problem isn’t just protecting the server from malicious CGI programmers. The more troublesome problem is protecting from careless CGI programmers. There are dozens of well-known CGI programming mistakes that could let a malicious client gain unauthorized access to the server machine. One innocuous-looking but poorly written Perl eval function is all it takes. For an extensive list of CGI security gotchas, see Chapter 6 of The WWW Security FAQ at http://www.w3.org/Security/Faq/www-security-faq.html.
To better understand the situation, imagine you’re an ISP and want to give your customers the ability to generate dynamic content using CGI programs. What can you do to protect yourself? Historically, ISPs have chosen one of three options:
He’s a good guy and a smart programmer, and besides, we have his credit card number.
If he reads the WWW Security FAQ and passes a written test, we’ll let him write CGI programs for our server.
Before we install ...