[2089] in WWW Security List Archive
Re: Macintosh Web Server Issues
daemon@ATHENA.MIT.EDU (matthew mcglynn)
Tue May 14 15:38:29 1996
Date: Tue, 14 May 1996 10:01:26 -0700
To: www-security@ns2.rutgers.edu
From: mcglynn@sentius.com (matthew mcglynn)
Errors-To: owner-www-security@ns2.rutgers.edu
At 10:19 AM 5/13/96, Karl Mitze wrote:
+-Does anyone know where I can find Macintosh-specific security
+information?
Different aspects of this issue have been discussed on the WebSTAR-talk
mailing list. You might try searching one of the list's archives
(<http://search.starnine.com/> for starters) to see what you can dig
up.
The Quarterdeck company line is that, out of the box, WebStar contains
no security threats or holes. This means: if you install the software
and turn it on, you're safe.
Once you add other services (ftp, particularly), or CGIs, you can
potentially open a security hole.
The biggest risk is allowing users, or, worse, anonymous users, to FTP
files ** INTO WEBSTAR'S FOLDER HIERARCHY **. Imagine if a user could
1) upload evil.acgi, and then
2) execute it with <http://www.3rdmill.com/evil.acgi>.
Scary, eh? Don't do this.
Other than that you're probably pretty safe, due to the single-user
nature of the MacOS (as compared to the multi-user nature of a UNIX
system).
+-Does running our own mail server (AIMS) increase our vulnerability?
Not to my knowledge. The worst thing about running AIMS or any other
service on your web server is that it slows the machine, stealing
cycles from WebSTAR. However, for low- to medium-traffic websites,
you probably won't notice any performance hit at all.
--
matt.
