当前位置: 首页 > 网络学院 > 设计教程 > 设计理念 > CGI剖析:第一部分
Well, as you might expect, for all its dynamism, CGI was not a holy grail. In fact, there are a lot of sysadmins out there who would be ecstatic if CGI were outlawed. CGI simply causes too many problems.
就像你想象的那样,对于所有的动态主义来说,CGI并不是一个圣盘。事实上,如果CGI能够被人们所抛弃,很多系统管理员会感到非常高兴的。原因很简单,CGI包含了太多的漏洞。
Unfortunately, there's a lot to worry about [when running a web server with CGI]. The moment you install a Web server at your site, you've opened a window into your local network that the entire Internet can peer through. Most visitors are content to window shop, but a few will try to peek at things you don't intend for public consumption. Others, not content with looking without touching, will attempt to force the window open and crawl in.
不幸的是,当服务器在运行CGI时,会让人感到忧虑。当你在你的网站上安装网络服务时,你就打开了一个位于本地网络内部的窗口,整个互联网都可以看到这些操作。大多数访问者都亲睐于这些窗口购物,但是有少部分人会偷窥那些你不打算提供的公共消费项目。其他人则不喜欢只能看而无法触及的这种消费方式,他们将试图强制将窗口打开并慢慢地摸索。
It's a maxim in system security circles that buggy software opens up security holes. It's a maxim in software development circles that large, complex programs contain bugs. Unfortunately, Web servers are large, complex programs that can (and in some cases have been proven to) contain security holes.
存在最多的系统安全隐患主要是由于很多带有漏洞的软件存在安全漏洞。在软件发展的过程当中,很多大型、复杂的程序包含漏洞。不幸的是,很多案例已经证明,网络服务器也是包含安全漏洞的大型、复杂的程序。
Furthermore, the open architecture of Web servers allows arbitrary CGI scripts to be executed on the server's side of the connection in response to remote requests. Any CGI script installed at your site may contain bugs, and every such bug is a potential security hole.
此外,网络服务器的开放式结构允许任意的CGI脚本程序在所连接服务器端执行,一对远程请求作出回应。所有安装在网站上的CGI脚本程序都有可能包含漏洞,每个漏洞都是一个潜在的安全漏洞。
It is one thing to allow any freak on the Internet access to your web server, when the communication is controlled through the boundaries defined by HTTP and implemented by web browsers. It is another thing to allow a stranger access to an unlimited amount of applications housed on the same server through a renegade CGI script.
有一点值得注意:当所有的通信手段通过由HTTP协议定义以及由网络浏览器执行的边界所控制的时候,它就会允许任意的事物通过互联网访问你的网络服务器;还有一点也值得注意:就是允许一个陌生人通过遗弃的CGI脚本程序来访问问于相同服务器端的所有应用程序。
In the WWW Security FAQ, Stein identifies four overlapping types of risk:
在万维网安全问答中,斯坦指出了四种不安全的搭接类型:
I recommend checking out the following CGI Security sites if you are interested in getting more detailed information.
如果你希望获取更多的详细信息,我建议你通过CGI安全网站来检验你站点中的CGI程序是否安全: