[2189] in WWW Security List Archive
RE: BoS: CERT Advisory CA-96.11 - Interpreters in CGI bin Directories
daemon@ATHENA.MIT.EDU (Paul G. Seldes)
Sat Jun 1 12:20:46 1996
From: "Paul G. Seldes" <pgs@tisny.com>
To: "'Paul Phillips'" <paulp@cerf.net>,
World Wide Web Security
<WWW-SECURITY@ns2.rutgers.edu>
Date: Sat, 1 Jun 1996 09:40:35 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
Unfortunately you're quite right. We're in the security business and =
are a large systems integrator. All too many of our clients =
(surprisingly large corporations too!) are running Web servers outside =
of any "trained" systems groups. Too many WEB servers are badly =
configured, have WIDE security holes and are not really understood by =
the staff running them.=20
Each day I'm amazed.
-----------------------------------------
Paul G. Seldes, VP - SWAT
Transaction Information Systems
212-962-1550
http://www.tisny.com
----------
From: Paul Phillips[SMTP:paulp@cerf.net]
Sent: Friday, May 31, 1996 1:22 PM
To: World Wide Web Security
Subject: Re: BoS: CERT Advisory CA-96.11 - Interpreters in CGI bin =
Directories
The solution is beyond trivial -- don't put general purpose interpreters =
into cgi-bin directories. It's really quite amazing that this ever =
became
a problem at all, given that such a move should trigger half a dozen =
warning
flags with anyone qualified to make security assessments. Unfortunately
the overlap between WWW administrators and these people is something =
much
less than 100%.
This is not rocket science, folks. This hole is tantamount to setting
up passwordless logins on the firewall for ease of maintenance and then
being surprised that people from the outside discover them. I suggest
that a WWW admin whose server is or was vulnerable to this attack study
considerably harder or find a new line of work.
The WWW security situation is indeed horrific.
