[512] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Jonathon Tidswell)
Tue Mar 7 01:00:00 1995
From: Jonathon Tidswell <t-jont@microsoft.com>
To: smithmi@dev.prodigy.com
Date: Tue, 7 Mar 95 10:49:46 TZ
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Michael Smith <smithmi@dev.prodigy.com> wrote:
>In message <95Mar2.113753+0900_met.63660-3+9@dxal18.cern.ch>,
| <hallam@dxal18.cern.ch> wrote:
| >>An
| >>analogous "feature" is the idea that someone posts every so often
showing how
| >>one can add csh into a mailcap file and automaticaly execute Web
pages as the
| >>arrive.
| [....]
| >>I don't think thats a very good idea with a signed, authenticated
| >>service. Someday someone will load a shell script writen for
Mupux-4.2.1(b) no
| >>t
| >>realising that their machine is now running <upux-4.2.2(f)patch
levelIV. As a
| >>result of this incompatibility the command rm -Rf / will be executed by
| >>accident.
| >>
|
| This is a thought-provoking observation. On the other hand, consider
| an analogy. People go to their local computer store and buy software
| packages and run them. There is nothing to prevent these packages
| from doing all kinds of mischief, either inetntional or not, _except_
| the fact that the victim knows where he got the software. Doesn't this
| line of reasoning apply to scripts too, if they're properly authenticated?
Your caveat of proper authentication is in itself infeasible.
Further a shop normally carries insurance against which you can claim.
An international cracker in a foreign jurisdiction is not necessarily
prosecutable,
and if you *manage* to get them they arent insured.
- JonT
Disclaimer disclaim disclaim ...
