The World Wide Web (WWW) uses a network protocol called Hyper Text Transport Protocol (HTTP) to implement a client-server computing environment over the Internet. HTTP server programs, called Web servers respond to requests, which have been sent over the Internet, from HTTP client programs, called Web browsers. The most widely used server and client programs are produced by the Apache group, Netscape Corporation and Microsoft Corporation.
Common Gateway Interface (CGI) scripts are programs which run on the Web server program when requested by a Web client such as Netscape Communicator. The CGI protocol provides mechanisms for input from a client browser (such as a database query) to be sent to a web server for processing by the CGI program. The CGI standard allows communication between the CGI script and Web server so that the CGI program output may be sent back to the client browser program in the form of a dynamically created Web page.
Web servers may be configured so that programs which have been written by Web client users will be executed on the server. Of course, this is a large potential security threat for the Web server machine in situations where the Web client user cannot be trusted or otherwise certified.
Another CGI security concern involves screening or filtering of input data which is sent to the server program for processing. In general, it is a difficult task to filter out all inputs which may lead to error situations or pose security threats. One obvious problem is the verification of the identity of client users by password. If the clear text of the password is sent over the Internet, it can be visible by any intruder on a machine connected to the source or destination networks. One solution for this problem is to use encryption/decryption protocols on the client and server programs so that the password, which is sent over the Internet, is not easily visible.