Insecurity of Inputs to CGI Program

Common Gateway Interface or CGI is a method for web browser (client) to interact with host operating system through a web server. CGI allows the client to run a program or web application on the host machine. The program can be written in any programming language whether it is compiled or interpreted, as long as it is executable and written correctly. The following figure shows the components of the client, server and CGI program. The program usually will interact with other applications or services on the operating system of the web server to complete the tasks. They can be database server, mail program and content services. The program will pass the user inputs (obtained from the URL or HTML form) and states (from cookies, hidden fields and environment variables) to the application to be processed and the results will be passed back to the client. One of the drawbacks of this technique is mostly concerned with user inputs and the states of the transaction. There is no guarantee that a user will enter the input correctly (intentionally or accidentally) and states (values of cookies, hidden fields and environment variables) may be modified.