CGI limitations?

CGI limitations?

am 21.04.2008 17:48:00 von elcarso

Hi every body,
I wonder why it is forbidden for a CGI application to do certain things,
which I consider quite harmless from a server point of view, like for
instance play a sound or encrypt/decrypt data.

I have a CGI application that runs from within a CGI folder on a Windows
Server 2003.
At the beginning, just after startup, I have put some test code that plays a
wave file and encrypts a short text using the Windows CryptoAPI ("Microsoft
Base Cryptographic Provider v1.0").

When I launch the application directly from the server keyboard, everything
works perfectly: I hear the sound and from a log file I can see that the text
was encrypted correctly.

But, when I launch the CGI application from the internet, by calling the
correspondet URL from another computer, those things do not work. Everything
else, like file I/O, HTTP downloading, FTP operations against other servers,
everything works perfectly, but no sounds and no encryption.

Why is it so? What's the point? Anybody who knows?

Thank you in advance.

Re: CGI limitations?

am 21.04.2008 20:44:43 von David Wang

On Apr 21, 8:48=A0am, ElCarso wrote:
> Hi every body,
> I wonder why it is forbidden for a CGI application to do certain things,
> which I consider quite harmless from a server point of view, like for
> instance play a sound or encrypt/decrypt data.
>
> I have a CGI application that runs from within a CGI folder on a Windows
> Server 2003.
> At the beginning, just after startup, I have put some test code that plays=
a
> wave file and encrypts a short text using the Windows CryptoAPI ("Microsof=
t
> Base Cryptographic Provider v1.0").
>
> When I launch the application directly from the server keyboard, everythin=
g
> works perfectly: I hear the sound and from a log file I can see that the t=
ext
> was encrypted correctly.
>
> But, when I launch the CGI application from the internet, by calling the
> correspondet URL from another computer, those things do not work. Everythi=
ng
> else, like file I/O, HTTP downloading, FTP operations against other server=
s,
> everything works perfectly, but no sounds and no encryption.
>
> Why is it so? What's the point? Anybody who knows?
>
> Thank you in advance.


Those are not limitations in CGI nor IIS.

Various Windows APIs may choose to work/not work depending on
priviledges held by the NT User Token that is invoking their
functionality.

The NT User Token of an interactive user from the server keyboard is
different than the remote user via IIS, thus features may be different/
limited.

If you are asking "Why is it so" about the specific API, then the
answer depends on the API and cannot be answered from an IIS
perspective.

If you are asking why the NT User Token from IIS is not the same as
from an interactive logon, then the answer is "Security".

There are many, many restrictions on what can be triggered on-behalf-
of by a remote user through IIS. If you think of IIS as a remote
activation mechanism of code on the server, then anything you can do,
a hacker can potentially do. You may ask "why are they treated
differently", but many others ask "why are they treated the same". The
viewpoint of the others won out in Windows.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//