[3268] in WWW Security List Archive
Re: NT WWW server Security Holes
daemon@ATHENA.MIT.EDU (Mark_W_Loveless@smtp.bnr.com)
Wed Oct 16 16:00:02 1996
From: Mark_W_Loveless@smtp.bnr.com
Date: Wed, 16 Oct 96 12:27:01 CST
To: www-security@ns2.rutgers.edu, John Allen <JOHNAL@attachmate.com>
Errors-To: owner-www-security@ns2.rutgers.edu
You can configure a WWW server (Unix, NT, otherwise) to be rather
secure from OS-type attacks. While risking flames, any NT guru will
say an NT box can be secured, and likewise for a Unix guru. So for the
sake of arguement let's say that you have a web server fully protected
via firewall/packet filtering/etc and can only be accessed two
different ways -- remotely through port 80, and sitting right at the
console.
Your problem becomes the WWW server software itself. For example, if
you have perl.exe in your cgi-bin directory, you can send arbitrary
commands -- regardless of platform. Of course your _commands_ have to
be platform specific but you get the idea.
A web search on NT security issues will turn up a lot of info, but I'd
recommend http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html
as a starting place for web stuff.
Mark Loveless
Opinions my own, not my employer
______________________________ Reply Separator _________________________________
Subject: NT WWW server Security Holes
Author: John Allen <JOHNAL@attachmate.com> at foreign
Date: 10/15/96 9:43 PM
-----BEGIN PGP SIGNED MESSAGE-----
A client of mine recently made the comment to me that NT was a more
secure Web server than UNIX because it was a newer operating system and
hackers haven't found any big holes in it yet. Since I have never been a
fan of "Security through Ignorance", I though I would ask the list if
there are any known security holes with NT as far as WWW servers go. I
do know that the Registry is accessible remotely, but is that a default
setting? Is there any resources on the 'Net that points out potential
security holes? Is there any known equivilents to the NSCA/phf hole in
NT??
Thanks in advance!!
- -- JA
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMmO5h8EQ+vsH5YJtAQE1ywQAkaMF/Z9frZNRBEoZ23vYLZSF2//CS60n
spMUNBo1VNcRp2sCxI8NHiziErtwM1TPhsN2azr7p/sVmf9AlQDmPiyS8QvygD2+
2lTF4zM5rkIELcT6BADHIC1cwlK+JEzLc2lxh/G2sonhFi7tbpiUKWEGhwWj4fKR
CO2W5o8kQMQ=
=t+H1
-----END PGP SIGNATURE-----
-- John D. Allen, Enterprise Systems Consultant, Attachmate
Corporation
-- EMail: Johnal@attachmate.com PGP: Finger -l johnal@attachmate.com
-- Co-Author, Windows 3.1 Connectivity Secrets, 1994, IDG Books
