[499] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Fisher Mark)
Fri Mar 3 13:04:11 1995
From: Fisher Mark <FisherM@is3.indy.tce.com>
To: "'www-security'" <www-security@ns2.rutgers.edu>
Date: Fri, 03 Mar 95 08:57:00 PST
Errors-To: owner-www-security@ns2.rutgers.edu
Phillip M. Hallam-Baker writes in
<95Mar3.132937+0900_met.63660-3+1@dxal18.cern.ch>:
>I know there are some people on the list that like UNIX and think I'm a bit
hard
>on it that is probably because security of an O/S is a very important issue
>for me.
As someone who has used and liked UNIX since Version 6 (1978) but is also
concerned with O/S security I have to agree with Phil. The power of UNIX --
many cooperating programs -- is a very potent paradigm. *But* I think it is
foolish even in a research environment to let everyone create arbitrary CGI
programs on a group Web server. I have never run or let anyone else run
(during my sysadmin days) an environment where arbitrary programs could be
added to the world toolkit.
Has anyone on the list looked into enhancing Safe-Tcl to provide Web
services (Safe-Tcl-Web?)? Personally, I would feel more comfortable
allowing arbitrary people to create CGI programs on my Web server if the
only CGI programs allowed were Safe-Tcl-Web scripts. On our internal Web
servers at TCE, the only people that create CGI scripts are the webmasters
themselves (and we hope we know what we are doing :)).
======================================================================
Mark Fisher Thomson Consumer Electronics
fisherm@indy.tce.com Indianapolis, IN
"Just as you should not underestimate the bandwidth of a station wagon
traveling 65 mph filled with 8mm tapes, you should not overestimate
the bandwidth of FTP by mail."
