[500] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Michael Smith)
Fri Mar 3 17:06:28 1995
Date: Fri, 03 Mar 1995 12:08:37 -0400
To: www-security@ns2.rutgers.edu
From: smithmi@dev.prodigy.com (Michael Smith)
Errors-To: owner-www-security@ns2.rutgers.edu
>In message <95Mar2.113753+0900_met.63660-3+9@dxal18.cern.ch>,
<hallam@dxal18.cern.ch> wrote:
>>An
>>analogous "feature" is the idea that someone posts every so often showing how
>>one can add csh into a mailcap file and automaticaly execute Web pages as the
>>arrive.
[....]
>>I don't think thats a very good idea with a signed, authenticated
>>service. Someday someone will load a shell script writen for Mupux-4.2.1(b) no
>>t
>>realising that their machine is now running <upux-4.2.2(f)patch levelIV. As a
>>result of this incompatibility the command rm -Rf / will be executed by
>>accident.
>>
This is a thought-provoking observation. On the other hand, consider
an analogy. People go to their local computer store and buy software
packages and run them. There is nothing to prevent these packages
from doing all kinds of mischief, either inetntional or not, _except_
the fact that the victim knows where he got the software. Doesn't this
line of reasoning apply to scripts too, if they're properly authenticated?
--Michael Smith
smithmi@dev.prodigy.com
