Return-Path: Delivered-To: new-httpd-archive@hyperreal.org Received: (qmail 18194 invoked by uid 6000); 26 Jan 1999 07:39:11 -0000 Received: (qmail 18144 invoked from network); 26 Jan 1999 07:39:09 -0000 Received: from imo27.mx.aol.com (198.81.17.71) by taz.hyperreal.org with SMTP; 26 Jan 1999 07:39:09 -0000 Received: from TOKILEY@aol.com by imo27.mx.aol.com (IMOv18.1) id NVOUa26290 for ; Tue, 26 Jan 1999 02:38:33 -0500 (EST) From: TOKILEY@aol.com Message-ID: <2c01536d.36ad70f9@aol.com> Date: Tue, 26 Jan 1999 02:38:33 EST To: new-httpd@apache.org Mime-Version: 1.0 Subject: Re: WIN32 CGI - SECURITY THREAT - 4 OF 4 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Mailer: AOL 3.0 16-bit for Windows sub 41 Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org In a message dated 99-01-26 00:14:33 EST, you write: > Sheesh. If the interpreter being run to execute the CGI can do it, > then the CGI can do it. If it can bypass the OS's file permissions, > then the OS doesn't have file permissions. > > If you want to argue with me, you can't just go on and on about how > Win32 is different and how command.com is scary, but you have to give > a specific technical example of why the interpreter name can magically > do something that the code itself can't. I will. Give me a day or so and I will show you what I thought would be obvious from the posting. A picture is worth a thousand words. The security thing was really an after-thought since it really doesn't affect me or my company that much. We are INTRA-NET ONLY. All users are trusted ( and a good thing! ). Any comments on the OTHER 3 postings RE: WIN32 CGI?