[301] in WWW Security List Archive
CGI Scripts an security
daemon@ATHENA.MIT.EDU (Daniel W. Woycke)
Sat Jan 14 04:06:55 1995
Date: Tue, 27 Dec 1994 10:45:51 -0500
To: www-security@ns1.rutgers.edu, firewalls@GreatCircle.COM
From: woycke@mitre.org (Daniel W. Woycke)
Reply-To: www-security@ns2.rutgers.edu
I know, I know, scripts and security are bad ideas together....
I am interested in any comments on the following policy. Using an http
proxy to pass through a firewall, but disabling all PUTs and POSTs. This
will restrict an CGI script from using the POST method. The GET method
requires all of the data to be in the URL. Then, I would apply a search
for meta-characters to the URL as it passes through the firewall. This
would prevent users from sending meta-characters to scripts.
The big problem I see with this is that none of the metacharaters can be
used in the URL anywhere (maybe this is good). And of course, all script
writers better be doing a darn good job...
Thank You,
Daniel W. Woycke |"I went out drinking with Thomas
Information Engineer (c) 1992|Paine..." -- Billy Bragg
The MITRE Corporation |"But I am still thirsty..."
7525 Colshire Drive (MS Z213)|-- Arrested Development
McLean, VA 22102 |These opinions are mine and are not
woycke@smiley.mitre.org |and will not be held by anyone else.
