Editing Common Gateway Interface (section)

== Security ==

CGI programs run, by default, in the security context of the Web server. When first introduced a number of example scripts were provided with the reference distributions of the NCSA, Apache and CERN Web servers to show how shell scripts or C programs could be coded to make use of the new CGI. One such example script was a CGI program called PHF that implemented a simple phone book.

In common with a number of other scripts at the time, this script made use of a function: <code>escape_shell_cmd()</code>. The function was supposed to sanitize its argument, which came from user input and then pass the input to the Unix shell, to be run in the security context of the Web server. The script did not correctly sanitize all input and allowed new lines to be passed to the shell, which effectively allowed multiple commands to be run. The results of these commands were then displayed on the Web server. If the security context of the Web server allowed it, malicious commands could be executed by attackers.

This was the first widespread example of a new type of Web-based attack called [[code injection]], where unsanitized data from Web users could lead to execution of code on a Web server. Because the example code was installed by default, attacks were widespread and led to a number of security advisories in early 1996.<ref>{{cite web |title=phf CGI Script fails to guard against newline characters |url=https://www.kb.cert.org/vuls/id/20276/ |website=Software Engineering Institute CERT Coordination Center |access-date=21 November 2019 |archive-date=28 July 2020 |archive-url=https://web.archive.org/web/20200728174056/https://www.kb.cert.org/vuls/id/20276/ |url-status=live }}</ref>