CGI/Perl Scripts


I found a great CGI script on the Web and I want to install it. How can I tell if it's safe?
You can never be sure that a script is safe. The best you can do is to examine it carefully and understand what it's doing and how it's doing it. If you don't understand the language the script's written in, show it to someone who does.

Things to think about when you examine a script:
  1. How complex is it? The longer it is, the more likely it is to have problems.
  2. Does it read or write files on the host system? Programs that read files may inadvertently violate access restrictions you've set up, or pass sensitive system information to hackers. Programs that write files have the potential to modify or damage documents, or, in the worst case, introduce trojan horses to your system.
  3. Does it interact with other programs on your system? For example, many CGI scripts send e-mail in response to a form input by opening up a connection with the sendmail program. Is it doing this in a safe way?
  4. Does it run with suid (set-user-id) privileges? In general this is a very dangerous thing and scripts need to have excellent reasons for doing this.
  5. Does the author validate user input from forms? Checking form input is a sign that the author is thinking about security issues.
  6. Does the author use explicit path names when invoking external programs? Relying on the PATH environment variable to resolve partial path names is a dangerous practice.
Tips:
Refer CGI Manual for more details