[2184] in WWW Security List Archive
Re: BoS: CERT Advisory CA-96.11 - Interpreters in CGI bin Directories
daemon@ATHENA.MIT.EDU (Paul Phillips)
Fri May 31 22:13:51 1996
Date: Fri, 31 May 1996 17:21:58 -0700 (PDT)
From: Paul Phillips <paulp@cerf.net>
To: World Wide Web Security <WWW-SECURITY@ns2.rutgers.edu>
In-Reply-To: <31AF6FAE.5384@cup.hp.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 31 May 1996, Gene Ingram wrote:
> There's a note with the assurance: ``This problem probably affects only
> amateur machines: those running Microsoft or Apple operating systems.''
> Although I find this reassuring, I'd still like to know if anyone on the
> list as experienced an attack from latro or other mechanisms, and if so,
> to please relay their experiences and solutions here. Thanks.
The solution is beyond trivial -- don't put general purpose interpreters
into cgi-bin directories. It's really quite amazing that this ever became
a problem at all, given that such a move should trigger half a dozen warning
flags with anyone qualified to make security assessments. Unfortunately
the overlap between WWW administrators and these people is something much
less than 100%.
This is not rocket science, folks. This hole is tantamount to setting
up passwordless logins on the firewall for ease of maintenance and then
being surprised that people from the outside discover them. I suggest
that a WWW admin whose server is or was vulnerable to this attack study
considerably harder or find a new line of work.
The WWW security situation is indeed horrific.
--
Paul Phillips | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net> | have a graphical browser"
<URL:http://www.cerf.net/~paulp/> | -- Canter and Siegel, on
<URL:pots://+1-619-558-3789/is/paul/there?> | their short-lived web site
