About forms and CGI scripts on IU's web server

CGI programs and scripts are executable; if you have one, you are allowing anyone in the world to run a program on your computer. Because of the potential security risks, users with web pages on the UITS Pages web server may not use CGI scripts.

CGI programs are permitted on the IU central web server (Webserve). Such programs must adhere to UITS's Network Information Services guidelines for information providers.

For information about obtaining an account on Webserve, see At IU, who can have an account on Webserve, and how do I get one?

On this page:


Setting up CGI scripts on Webserve

To run CGI scripts from your account on Webserve:

  1. Name your script so that it ends with a .cgi or a .pl extension. Scripts without one of these extensions will not run on Webserve.
  2. Put the script in your www directory or any subdirectory of your www directory.
  3. Set the permissions of the script to read, write, and execute for the owner only. To do this, move to the directory where your script is stored and, at the command prompt, enter:
     chmod 700 scriptname

    Replace scriptname with the name of your script. For more on the chmod command, see Change permissions for a file in Unix.

  4. Make a link to your CGI script from a web page, or use the action attribute in the <form> tag of a form that submits information to your CGI script. As with your other files on the server, you don't need to include the www directory within the URL for your script. The URL of your script will be in the following form:
     http://www.iupui.edu/~account/subdirectory/scriptname

    Replace iupui with your campus designation, if necessary. Replace account with the account's Network ID username, and if your script is in a subdirectory of www, replace subdirectory with the name of the subdirectory of your script. Replace scriptname with the name of your script.

  5. Test your script to make sure it is working properly.

Alternatives to CGI programs

You may not need a CGI program to complete certain tasks. Consider the following options:

  • You can use Java applets; see Is Java supported on IU's web servers?
  • You can limit who has access to your web pages.
  • You can use links to online utilities hosted by other sites, such as guest books and counters. Searching the web will return many useful links.

Running as owner

On Webserve, CGI scripts execute with the permissions of the script owner (you); this is quite different from many web servers on which CGI scripts run with the permissions of the web server account.

The authors of many of the CGI scripts available on the Internet recommend that you make world readable and writable any files that your CGI script reads from or writes to. Do not follow this advice for CGI scripts that you run on Webserve. Your script executes with your permissions, so it can read and write to your files without having to make these files world readable or writeable. Instead, you should remove world read and write privileges on these files to help prevent them from being maliciously overwritten or deleted.

Your script's URL

The URL for your CGI script is similar to the URLs for your static web pages:

  • IUB users: http://www.indiana.edu/~username/subdirectory/scriptname
  • IUN users: http://www.iun.edu/~username/subdirectory/scriptname
  • IUE users: http://www.iue.edu/~username/subdirectory/scriptname
  • IUK users: http://www.iuk.edu/~username/subdirectory/scriptname
  • IUPUI users: http://www.iupui.edu/~username/subdirectory/scriptname

Restricting access to your CGI script

Search tools such as Google Code Search make it simple to find web sites vulnerable to attacks by enabling you to search for regular expressions and exact strings, and restrict searches to code written in specific programming languages. The tool searches all of the publicly available source code it can find. Therefore, you should not set the permissions of your cgi files to 755.

To restrict access to your CGI script, set up an .htaccess file, as you would for any of your web pages; see Controlling web page access.

Tutorials for forms and CGI applications

This is document agrs in the Knowledge Base.
Last modified on 2017-12-20 15:00:23.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.