[295] in WWW Security List Archive
Re: CGI Scripts an security
daemon@ATHENA.MIT.EDU (Daniel W. Woycke)
Sat Jan 14 02:23:38 1995
Date: Wed, 28 Dec 1994 07:51:57 -0500
To: chip@chinacat.unicom.com (Chip Rosenthal)
From: woycke@mitre.org (Daniel W. Woycke)
Cc: firewalls@GreatCircle.COM, www-security@ns1.rutgers.edu
Reply-To: www-security@ns2.rutgers.edu
>In article <v01510103ab25e5f60b44@[128.29.140.151]>,
>I think this is a bad idea. For non-trivial CGI processors, POST is
>much easier to handle than GET. If you are going to allow CGI
>processors, then, I believe, from a security viewpoint you should be
>doing everything you can to simplify them. If that's true, then what
>you propose is 180 degrees out of phase.
>
>Take a look at ftp.unicom.com:/pub/gn-tools/cgi-postin.c and the
>documentation in http://www.unicom.com/gn-info/gn-tools.html#cgi-postin .
>It would be trivial to add a few ctype(3) tests to restrict the
>character set for data.
>
>If you are going to allow CGI processors, I think you would do more
>for security by insisting that your users develop their scripts using
>a tool such as cgi-postin. It will make your CGI scripts will be
>simpler (thus less to go wrong and easier to audit) and help deflect
>attacks through client-provided data.
>--
>Chip Rosenthal <chip@chinacat.Unicom.COM>|It breaks my heart to see those stars
>Unicom Systems Development |smashing a perfectly good guitar.
>(Thank you, Cancelmoose[tm].) | - http://www.unicom.com/john-hiatt/
I will look at CGIpostin, thank you for that information.
But, I agree that get is bad for non-trivial scripts, but the basic
philosophy behind firewalls is to have one point to concentrate your
security resources. If I require the user community to write "trusted" cgi
scripts then I am relying on this community, not something I have control
over (the firewall).
Thank You,
Daniel W. Woycke |"I went out drinking with Thomas
Information Engineer (c) 1992|Paine..." -- Billy Bragg
The MITRE Corporation |"But I am still thirsty..."
7525 Colshire Drive (MS Z213)|-- Arrested Development
McLean, VA 22102 |These opinions are mine and are not
woycke@smiley.mitre.org |and will not be held by anyone else.
