About forms and CGI scripts on IU's web server

Webserve is scheduled for retirement on December 23, 2019, and will be replaced by IU Sitehosting. All sites hosted on Webserve must be migrated to IU Sitehosting by that date or content will be inaccessible.

On this page:


CGI programs and scripts are executable; if you have one, you are allowing anyone in the world to run a program on your computer. Because of the potential security risks, users with web pages on the UITS Pages web server may not use CGI scripts.

CGI programs are permitted on the IU central web server (Webserve). Such programs must adhere to UITS's Network Information Services guidelines for information providers.

For information about obtaining an account on Webserve, see About Webserve accounts

Set up CGI scripts on Webserve

To run CGI scripts from your account on Webserve:

  1. Name your script so that it ends with a .cgi or a .pl extension. Scripts without one of these extensions will not run on Webserve.
  2. Put the script in your www directory or any subdirectory of your www directory.
  3. Set the permissions of the script to read, write, and execute for the owner only. To do this, move to the directory where your script is stored and, at the command prompt, enter:
     chmod 700 scriptname

    Replace scriptname with the name of your script. For more on the chmod command, see Manage file permissions on Unix-like systems.

  4. Make a link to your CGI script from a web page, or use the action attribute in the <form> tag of a form that submits information to your CGI script. As with your other files on the server, you don't need to include the www directory within the URL for your script. The URL of your script will be in the following form:

    Replace iupui with your campus designation, if necessary. Replace account with the account's IU username, and if your script is in a subdirectory of www, replace subdirectory with the name of the subdirectory of your script. Replace scriptname with the name of your script.

  5. Test your script to make sure it is working properly.

Alternatives to CGI programs

You may not need a CGI program to complete certain tasks. Consider the following options:

  • You can use Java applets; see Java on IU web servers
  • You can limit who has access to your web pages.
  • You can use links to online utilities hosted by other sites, such as guest books and counters. Searching the web will return many useful links.

Run as owner

On Webserve, CGI scripts execute with the permissions of the script owner (you); this is quite different from many web servers on which CGI scripts run with the permissions of the web server account.

The authors of many of the CGI scripts available on the internet recommend that you make world readable and writable any files that your CGI script reads from or writes to. Do not follow this advice for CGI scripts that you run on Webserve. Your script executes with your permissions, so it can read and write to your files without having to make these files world readable or writeable. Instead, you should remove world read and write privileges on these files to help prevent them from being maliciously overwritten or deleted.

Your script's URL

The URL for your CGI script is similar to the URLs for your static web pages:

  • IUB users: http://www.indiana.edu/~username/subdirectory/scriptname
  • IUN users: http://www.iun.edu/~username/subdirectory/scriptname
  • IUE users: http://www.iue.edu/~username/subdirectory/scriptname
  • IUK users: http://www.iuk.edu/~username/subdirectory/scriptname
  • IUPUI users: http://www.iupui.edu/~username/subdirectory/scriptname

Restrict access to your CGI script

Search tools such as Google Code Search make it simple to find web sites vulnerable to attacks by enabling you to search for regular expressions and exact strings, and restrict searches to code written in specific programming languages. The tool searches all of the publicly available source code it can find. Therefore, you should not set the permissions of your cgi files to 755.

To restrict access to your CGI script, set up an .htaccess file, as you would for any of your web pages; see Control web page access for Webserve.

Tutorials for forms and CGI applications

Transform will not be available on IU Sitehosting. If you are using Transform on Webserve, you will need to find another utility for processing HTML forms on IU Sitehosting.

This is document agrs in the Knowledge Base.
Last modified on 2019-09-04 07:31:47.

Contact us

For help or to comment, email the UITS Support Center.