[513] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Tue Mar 7 14:04:38 1995
From: riddle@is.rice.edu (Prentiss Riddle)
To: www-security@ns2.rutgers.edu
Date: Tue, 7 Mar 1995 08:35:14 -0600 (CST)
Errors-To: owner-www-security@ns2.rutgers.edu
Here's another thing to add to your anxiety closet:
I've been working on generic CGI scripts that could be used in many
applications across my campus, since I don't allow my users to write
their own. One of them is the usual fill-out-a-form-and-mail-in-the-
results script.
It's come to my attention that at least one of my users has had the
bright idea of automatically parsing the output of these forms via a
shell script invoked using filter(1) (the mail-sorting program that
comes with elm(1)). A script invoked via filter(1) shares all of the
risks of a CGI script invoked by httpd directly.
So do we disallow filter(1), too? Bleah. :-(
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- Systems Programmer and RiceInfo Administrator, Rice University
-- 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
-- Opinions expressed are not necessarily those of my employer.
