httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: public_cgi-bin scripts
Date Mon, 17 Apr 1995 18:19:01 GMT
Depending on your Joe.Users, some of them very well might have malicious
intent (American undergrads are famous for this), and whatever policies
a local site has should take this into account.  Aside from this, the
major security concern is, say, Joe.User writing a script in shell because
it's something he knows, without taking the *extreme* care you need to 
keep requests which include shell metacharacters from handing a potential
attacker the keys to the kingdom.

(An early version of a fairly widely-distributed archie-gateway CGI script
was written in shell.  I was able to fabricate a request to this thing 
which would give me an xterm running on the server --- I only used this on
my own machine, of course, and mainly as incentive to rewrite the version
of the thing running locally in Perl).


View raw message