Check this one out for a good, brief introduction.
http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec/
And the W3C's security FAQ is still a good one.
http://www.w3.org/Security/faq/
Read especially sections 6 and 7, and you'll probably find sections 3 and 5 helpful as well.
Free advice from this corner: The two biggest problems you may run into are failing to anticipate and trap malicious input, and setting permissions that are too, uh, permissive.
Certain useful tools like sendmail are notorious for leaving gaping holes when given tainted input, and running perl in taint mode (-T) doesn't mean you're automatically covered -- I've seen programmers use taint mode "for added security" and then get around the taint complaints by extracting the whole string from itself, with any potential malicious input intact. Duh, why bother?
suExec, while a godsend to hostmasters, can actually be more problematic for CGI programmers. Why? Because your CGIs run as you, with your permissions, so anything you can overwrite in your space (read: your entire space) can be overwritten by an exploited CGI. On FQ, I will often chmod my files (not directories) to 444 (or 600 if they're CGI-generated data) and my apps to 500 when I've put them into production -- b/c then an errant CGI would have to allow the user to change file permissions as well as overwrite them (not that I plan to write exploitable CGIs, but I freely admit to rampant paranoia at times). A chmod 500 script will run on FQ, although it will generate a mod_mime_magic error in your log.
Oops, I've switched into "verbose mode"! Sorry. Those two FAQs ought to give you the background you're after, or at least a verrry good start on it.
------------------
jeni
Linear Mode
