[501] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Fri Mar 3 19:37:57 1995
From: smb@research.att.com
To: smithmi@dev.prodigy.com (Michael Smith)
cc: www-security@ns2.rutgers.edu
Date: Fri, 03 Mar 95 13:46:25 EST
Errors-To: owner-www-security@ns2.rutgers.edu
This is a thought-provoking observation. On the other hand, consider
an analogy. People go to their local computer store and buy software
packages and run them. There is nothing to prevent these packages
from doing all kinds of mischief, either inetntional or not, _except_
the fact that the victim knows where he got the software. Doesn't this
line of reasoning apply to scripts too, if they're properly authentica
ted?
The problem is this: CGI scripts *are* network servers, and have
to be written with that level of care. (This is just as true for
VMS as for UNIX, I might add.) And while you may know the immediate
source of your ills (though you may not; the effects could be delayed),
you don't know if that source was itself penetrated.
