Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "cgi"
29-year veteran here. Began programming professionally in 1990, writing BASIC applications for an 8-bit Apple II+ computer. Learned Pascal, C, Clipper, COBOL. Ironic side-story: back then, my university colleagues and I used to make fun of old COBOL programmers. Fortunately, I never had to actually work with the language, but the knowledge allowed me to qualify for a decent job position, back in '92.
For a while, I worked with an IBM mainframe, using REXX and EXEC2 scripting languages for the VM/SP operating system. Then I began programming for the web, wrote my first dynamic web applications with cgi-bin shell and Perl scripts. Used the little-known IBM Net.Data scripting language. I finally learned PHP and settled with it for many, many years.
I always wanted to be a programmer. As a kid I dreamed of being like Kevin Flynn, of TRON - create world famous videogames and live upstairs my own arcade place! Later on, at some point, I was disappointed, I questioned my skills, I thought I should do more, I let other people's expectations make feel bad. Then I finally realized I actually enjoy a quieter, simpler life. And I made peace with it.
I'm now like the old programmers I used to mock 30 years ago. There's so much shit inside my brain. And everything seems so damn complex these days. Frameworks, package managers, transpilers, layers and more layers of code. I try to keep up. And the more I learn, the more it seems I don't know.
Sometimes I feel tired. Yet, I still enjoy creating things and solving problems with programming. I still have fun learning. And after all these years, I learned to be proud of my work, even if it didn't turn out to be as glamorous as in the movies.33
My mom died when I was 7, after which my dad bought me a Commodore 64 so I had something to lose myself in during the mourning process.
I learned everything about that system, from my first GOTO statement to sprite buffers, to soldering my own EPROM cartridges. My dad didn't deal with the loss so well, and became a missing person 5 years later when I was 12.
I got into foster care with a bunch of strict religious cultists who wouldn't allow electronics in the house.
So I ran away at 14, sub-rented a closet in a student apartment using my orphan benefits and bought a secondhand IBM computer. I spent about 16 hours a day learning about BSD and Linux, C, C++, Fortran, ADA, Haskell, Livescript and even more awful things like Visual Basic, ASP, Windows NT, and Active Directory.
I faked my ID (back then it was just a laminated sheet of paper), and got a job at 15-pretending-to-be-17 at one of the first ISPs in my country. I wrote the firmware and admin panel for their router, full of shitty CGI-bin ASP code and vulnerabilities.
That somehow got me into a job at Microsoft, building the MS Office language pack for my country, and as an official "conflict resolver" for their shitty version control system. Yes, they had fulltime people employed just to resolve VCS conflicts.
After that I worked at Arianespace (X-ray NDT, visualizing/tagging dicom scans, image recognition of faulty propellant tank welds), and after that I switched to biotech, first phytogenetics, then immunology, then pharmacokynetics.
In between I have grown & synthesized and sold large quantities of recreational drugs, taken care of some big felines, got a pilot license, taught IT at an elementary school, renovated a house, and procreated.
A lot of it was to prove myself to the world -- prove that a nearly-broke-orphan-high-school-dropout could succeed at life.
But hey, now I work for a "startup", so I guess I failed after all.31
So, i tried to demonstrate my roommate how many people push their credentials to github by searching for "password remove" commits.
I decided to show him the file and noticed something interesting. A public IP, and mysql credentials.
I visit the IP and what do i see there, a directory listening with a python script, with injects the database into a webpage (???) and a log of all http requests. Lots of failed attacks aiming at the PHP CGI. Still wondering how they failed on a python server 🤔🤔🤔
Edit phpmyadmin to connect to the mysql database. Success.
Inserted a row telling him the his password is on github. Maybe i should also have told him how to actually remove it. 😅
Yes, root can login from %
This is how far i can get with my current abilities.
Scary how insecure this world is.4
I'm writing a small blogging CMS in bash using CGI. I can't help but giggle every once in a while when I think of the reaction every web developer ever would have if I told them about my project 😂29
Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”
Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”8
Well... Looks like I managed to make a Webpage in C++...
I need a life...
webpage (self hosted, so I don't guarantee that it will always be online. however, the pages source code is on github): http://184.108.40.206/cgi-bin/...
The number of tabs opened in the browser is directly proportional to the completely of the problem! :p9
My wife is complaining that am spending too much time on devRant. I just told her, am coming here only when windows is updating :p ;)1
Connect a pen drive, format it successfully. Connect to a new machine to copy data and see the data exists.
Crap! which drive did I formatted :(1
Update to my CGI library for C++:
i've finally written the docs, everything seems to run stable!
if anybody is crazy enough to try it out and leave some feedback, I take everything!
Who the fuck uses http code 200 for a failure. Seriously have you ever heard something about a need to parse the shit you're returning...
Now I don't know whether it's me who's wrong, but man there are more than 80 different codes defined so there really should be something for you, don't you think?
And don't give me shit like "well the request worked so we return 200 it's only that the request wasn't correct". What for a fucking peace of something are you... Those codes are for that exact reason.
Anyways I'm going to parse the shit with string compare and afterwards kill myself out of shame. Whish me luck...6
I'm working on how to control the router at home with Python scripts that post to the cgi interface, and I just turned the light on without the web interface!
I wanna make you feel what you have brought into my house!!
I was working with security cameras once in a home automation project. One of those camera particularly stand out by offering a cgi without password request to view and change the current passwort and username.
Seriously wtf is wrong with you? I mean this thing automatically connects to an internet service offering everyone to connect to it with that passwort and username. And I know some of you might say "hey chill the cgi is only available on the wifi" - dammit no. Security is a lifestyle do it complete or get the fuck out. God knows what other mistakes there might be hidden in that thing screaming out to everyone to watch me taking a shit.
But that's not the end of it. My company arranged a call to the technical support of that camera so that I can explain the problem and a patch gets released. Those guys didn't give a shit about it and were even laughing at me. Fuck you!
So whoever is responsible - I will find you - and you will never see me coming.4
Meanwhile I was sitting in my Python class.
Suddenly she starts teaching about CGI Scripts and how widely they are used in these days' web interfaces.
Being a web dev myself, this felt so sad.
Considering the advent of so many web frameworks that make it so much easier for the developer to ship a website, who'd use CGI scripts until it's a total nessecary.
Now , what's much worse is she wants us to write a CGI Script for making a resume generator?
I don't know what to do with her..!
Most of us have scary stories about professors that think that they know about what they are talking about when it comes to teaching comp sci subjects. Shit is so backwards in most parts of the world with teachers showing outdated or completely pointless tech.
A friend called me the other day asking for classic ASP help because it was being used in his web class. Another was asking me about flipping c cgi web scripting. Wtf are schools teaching? Having the drive to LEARN actuall useful topics that are relevant on the market is hard enough as it is...shouldn't schools help at least a little bit? I was lucky, we were thaught Java, Python, cpp, js, sql, html5, css3, php, ruby and we had classes for node (for those interested) and asp.net mvc. Those were RELEVANT and good classes and while some outdated tech was good the rest is just bullshit. Specially since most teachers have 0 market value as develpers...but hey!! Wtf do I know! Of course my word is shit against all them doctorate and master degrees.
Gimme a break. School can be great. But a lot of the leadership there is toxic af for our industry. And while I appreciate the effort in me being thaught modern languages (and thaught is a hard word since I already knew how to program way before going to school) i still remember a teacher taking points away from an assignment for not using switch statements in Python...despite my explaining that there was no such thing (you can go around it by using a lil technique using functions, its pretty cool..pero no mames)
Or what about the time I mentioned to a fellow student how he could use markup for having more control with his windows forms while the very same teacher contradicted me saying that shit was not possible. Or the guy at the school in which I work teaching intro to programming using fucking vba...fk man if you are going the BASIC route at least teach them b4j or something fuuuuck.
I had good teachers, but they were always cast asside by dptmnt heads as if they knew better. I just hate pendejo teachers I really do.
Chinguen a su madre, bola de babosos.11
Ugh. That may have been a mistake.
I'm deep in a large effort to refactor my project. It's a one man deal and something I've been working on pretty much every day in some fashion for nearly 10 years (five years ago I started a scratch rewrite to move from a fully CGI server rendered application to a browser rendered asynchronous version built around JS) and that took me three years.
I started this refactor about 8 weeks ago. Turns out I've been tackling the largest modules and progress has been decent. So that's good.
But I got to wondering ... Just how much code is there?
So I whipped up a quick script to do some calculations. Read each file and get a line and word count, skipping empty lines.
In JS it turns out I have 83,973 lines and 467,683 words.
On the back end, 86,230 lines and 580,422 words.
Average publishing stats say the are about 250 words/printed page.
That means I'm confronting refactoring 1,870 pages of JS. That's the size of several decent sized novels. (I think I've done the equivalent of Maybe 400 at this point).
Makes me feel like the walls are creeping in to know how much is left to go ...
Fun fact: In 2020, there are still companies out there with full-blown web apps using CGI (yeah, remember? /cgi-bin?).20
When you take your fast but plain cgi scripts and convert them to fastcgi...
"no way the page parsed and analyzed 325 XML trees this fast" 😇
Kazakhstan Government issues certificates for MITM attacks on the public. WTF !!!
(Spoilers about Ready Player one here)
I watched Ready Player One in 4DX AND IT COSTED AN UNHOLY FUCKING AMOUNT OF MONEY!
yet it was THE BEST MOVIE Ive ever watched, AND I MEAN IT! IT WAS SO FUCKING GREAT! THE CGI THE ACTORS!
STEVEN DID AN EXCELLENT JOB!
and as a Trekkie I LOVED the scene of Hallidays death I mean his coffin WAS A FUCKING PHOTON TORPEDO! and in the Last scene you could see a bat'leth HOW HOW COOL WAS THAT!
And dont get me started on all the other References like the Holy Handgranade, Rubiks Cube, FUCKING BATMAN HELPING SOMEONE CLIMBING, Minecraft OASIS edition, Halo... I CANT ITS TOO MUCH!1
These days all companies just want to show off how evolved their AI is.
Any presentation without the neural networks CGI animation is incomplete!!!2
Today talking with a schoolmate about an optional VS/CGI course at the university, he goes like "Why do we need to know everything about X and Y?", yeah well this means being a Software Engineer darling... what did you expect?
Does somebody know how to send data to the PHP CGI executable directly and how to receive it (stdin/stdout)?
Or point me to a useful resource?
In a side project (just for fun) I try to implement the interface on NodeJS so I could process PHP through ExpressJS (long story).
I've been able to send and receive stuff, but the PHP CGI always tells me that I am "not allowed" to use this interface...
Docs/mailinglists seem reeeally old and don't want to go through the Apache source code 😅
Or does Node not have enough privileges for communicatig with PHP CGI exe?9
CGI is fun, websockets are fun, why on earth is it so fucking hard to have both of them with proper switching using at most one extra program apart from my handlers?
By proper switching I mean that you actually track connections and upgrade headers to decide what to do, rather than forcing websocket connections onto a separate HTTP resource just to tell the difference.4
i've installed lamp and my php -v is 7.1.15. i created a form and when i request to a .php file, it says "php-cgi not found: Please ensure that configured PHP Interpreter built as CGI program (--enable-fastcgi was specified)".
but ive specified the php.ini file from etc/php/7.1/cli.
and in setting/languages & Frameworks/php/cli interpreter it says php version not installed & debuger not installed. SOS3
I fucking hate my ISP. Those cocksuckers never even provide me with a functioning internet connection, and even when the internet does function (which is once in a blue moon) the speed is way slower than the speed they promised me. (supposed to be 24mbps, actually ~2mbps)
The tech support is even worse. It takes forever to get to someone, and when you do get connected to someone, they come up with some bullshit excuse instead of helping me. Either that, or they say they're going to run some tests, and they never get back to me. It's only now that they're sending an engineer over, and they come next week.
Oh, and don't get me started on the router's web interface. It is an abomination of <frameset>, document.write, XMLHttpRequest, non-functional CGI scripts, and to top the shit sundae off, a web server that hasn't been updated since 2005.1
How on earth is there any "sane" software (eco-)system or will it always be so crazy because as pieter hintjens might have said all this soft- and hardware is created by this social animal called human, with all it's faults and aberrations...
So it was just, that I could not print - probably because of this bug: https://bugs.debian.org/cgi-bin/... - couldn't install a newer ghostscript. So I would scp my files inside an Ubuntu-VM from which I could print. Sometimes I could pdf2ps some files or transfer back the ps-file and print on my host machine, but mostly not... U n t i l today when I installed the fucking debug symbols package for ghostscript and I could just fucking print. Heisenbug, ghost error or what?1
Working for a company using Cobol > CGI > PHP > MySQL > Django, and once again another custom rolled framework with no documentation in PHP. Basically no desire, haha.
Thank you hosing company, all you had to do was rebuild the crummy php 5.2 cgi with an up to date version of openssl that supports tls 1.2 so the PayPal integrations work for the seven customers who are too fucking tight to pay to have their sites upgraded to something modern...
Not set all 120 sites across five servers to run on php 5.2..
What the fuck is wrong with walking deads CGI??? Did they lose all their budget or something?
DEER WALKING DEAD DIE1
In those learning days the universal solution to all systems issues -
'restart and see if that fixes'