[3411] in WWW Security List Archive
Re: SSIs
daemon@ATHENA.MIT.EDU (Rich Brennan)
Wed Oct 30 13:45:43 1996
From: "Rich Brennan" <brennan@oohahh.merk.com>
Date: Wed, 30 Oct 1996 11:03:59 -0500
In-Reply-To: "Andrew J. Hoag" <ahoag@nas.nasa.gov>
"Re: SSIs" (Oct 29, 8:27)
To: "Andrew J. Hoag" <ahoag@nas.nasa.gov>,
"Robert S. Muhlestein" <robertm@teleport.com>,
www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>This is definitely not a disappointment and I value this option. Allowing users
>to use SSI without worry about them executing programs is one less thing I have
>to monitor and worry about as a security vulnerability.
>
>Could someone explain to me why exec'ing a cmd (any /bin/sh command) is worse
>than exec'ing a CGI that exec's a cmd (interpreter of your choice)?
I agree with you, if you are assuming that general user-written CGI scripts
are permitted. In my case, I will control the CGI executables, so it's safe
to let them execute CGI's but not anything with cmd= (/bin/sh).
Rich
