[499] in WWW Security List Archive

home help back first fref pref prev next nref lref last post

Re: Security risks with CGI

daemon@ATHENA.MIT.EDU (Fisher Mark)
Fri Mar 3 13:04:11 1995

From: Fisher Mark <FisherM@is3.indy.tce.com>
To: "'www-security'" <www-security@ns2.rutgers.edu>
Date: Fri, 03 Mar 95 08:57:00 PST
Errors-To: owner-www-security@ns2.rutgers.edu


Phillip M. Hallam-Baker writes in 
<95Mar3.132937+0900_met.63660-3+1@dxal18.cern.ch>:
>I know there are some people on the list that like UNIX and think I'm a bit 
hard
>on it that is probably because security of an O/S is a very important issue
>for me.

As someone who has used and liked UNIX since Version 6 (1978) but is also 
concerned with O/S security I have to agree with Phil.  The power of UNIX -- 
many cooperating programs -- is a very potent paradigm.  *But* I think it is 
foolish even in a research environment to let everyone create arbitrary CGI 
programs on a group Web server.  I have never run or let anyone else run 
(during my sysadmin days) an environment where arbitrary programs could be 
added to the world toolkit.

Has anyone on the list looked into enhancing Safe-Tcl to provide Web 
services (Safe-Tcl-Web?)?  Personally, I would feel more comfortable 
allowing arbitrary people to create CGI programs on my Web server if the 
only CGI programs allowed were Safe-Tcl-Web scripts.  On our internal Web 
servers at TCE, the only people that create CGI scripts are the webmasters 
themselves (and we hope we know what we are doing :)).
======================================================================
Mark Fisher                            Thomson Consumer Electronics
fisherm@indy.tce.com                   Indianapolis, IN

"Just as you should not underestimate the bandwidth of a station wagon
traveling 65 mph filled with 8mm tapes, you should not overestimate
the bandwidth of FTP by mail."

home help back first fref pref prev next nref lref last post