|[Date Prev] [Date Next]||[Thread Prev] [Thread Next]||[Date Index] [Thread Index]|
Re: [nocol-users] security problems with webnocol.cgi, genweb.pl,notifier.pl, etc.
> > Are there specific security problems you've noted with webnocol.cgi or > are you just nervous because it's not running in taint mode? genweb.pl > and notifier.pl are only run by cron and should therefore be in your > total control. I have to admit, I worry that any script which generates many warnings when run with -w has not been throughly tested. genweb.pl and notifier.pl certainly fit the bill. So even if they're only being run by cron, they could be tightened. As far as webnocol.cgi goes, it will happily execute whatever the subcommand field in the GET/POST request tells it to execute! Not verifying user input is scary enough, but to take an arbitrary command that they provide and execute it is just plain foolhardy. The onion perspective on security applies here. If a black hat is able to circumvent my web server's protections and call webnocol.cgi unexpectedly, he should find another layer of protection, not a wide open entry point. Scott