[494] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Jonathon Tidswell)
Fri Mar 3 05:00:29 1995
From: Jonathon Tidswell <t-jont@microsoft.com>
To: hallam@dxal18.cern.ch, www-security@ns2.rutgers.edu
Date: Fri, 3 Mar 95 15:46:10 TZ
Cc: t-jont@microsoft.com
Errors-To: owner-www-security@ns2.rutgers.edu
I believe most of Phil's concerns relate to the security offered by the
shell (none).
(IMO) A shell used in such an environment should offer more comprehensive and
certainly more flexibility than the basic process security model.
Similar problems exist under NT, the lack of setuid() removing some and
the lack
of chroot() adding others.
I also believe that adding the code to the server is a worse solution.
It is probably appropriate for the commercial vendors to include extras
in their commercial offerings but in a research environment things change
too fast too often that insufficiently analysed code would end up in
the server.
Comments ... ? ( on or off the list )
- Jon Tidswell
I am a postgraduate student on a scholarship not an employee of Microsoft ...
I am looking to do my research on security in distributed scripting ...
----------
| From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>
| >I'm looking for a comprehensive list of security risks with using CGI
| >scripts.
|
| It would be a very long one indeed.
|
| I personally think the CGI-script idea was a bad one from the start.
If you are
| security concious it is much better to have the routine compiled into the
| server. Spawning other executables on demand is a flakey business at
the best of
| times. Spawning shell processes under UNIX is a nightmare.
|
| The problem is that people like having enough rope to hang themselves
with. An
| analogous "feature" is the idea that someone posts every so often
showing how
| one can add csh into a mailcap file and automaticaly execute Web
pages as they
| arrive. I don't think thats a very good idea with a signed, authenticated
| service. Someday someone will load a shell script writen for
Mupux-4.2.1(b) not
| realising that their machine is now running <upux-4.2.2(f)patch
levelIV. As a
| result of this incompatibility the command rm -Rf / will be executed by
| accident.
|
| See the UNIX=Haters guide for the best summary of UNIX related risks.
|
|
| Phill H-B
|
|
|
|