[Date Prev]   [Date Next] [Thread Prev]   [Thread Next] [Date Index]   [Thread Index]


     RE: [nocol-users] security problems with webnocol.cgi,genweb.pl,notifier.pl, etc.

If I may make a quick suggestion - as for tightening things up a bit for
security purposes.  It's always a good idea to use proven methods rather
than make things up as we go.  I have found that majordomo has done a pretty
good job in the security arena.  Of course there are always issues but
overall it's not bad.  Maybe you could borrow some of their strategies that
seem to work pretty good.  For example, their permission scheme is pretty
tight.  Not bullet proof but well done.

My $0.02 for what it's worth.

Steve Thrasher
Technology Director, UZIX
Keeping the simple, simple,
Making the difficult easy,
and automating the near impossible.

-----Original Message-----
From: owner-nocol-users@navya.com [mailto:owner-nocol-users@navya.com]On
Behalf Of Rick Beebe
Sent: Tuesday, 27 March, 2001 0806
To: listS+nocol-users@niss.com
Cc: nocol-users@navya.com
Subject: Re: [nocol-users] security problems with
webnocol.cgi,genweb.pl,notifier.pl, etc.

>         As far as webnocol.cgi goes, it will happily execute whatever
>         the subcommand field in the GET/POST request tells it to
>         execute! Not verifying user input is scary enough, but to
>         take an arbitrary command that they provide and execute it
>         is just plain foolhardy.

No, it will only execute the subcommand if it exists in the cmdlist
array. However, I will take a look at tightening things up.



    Rick Beebe                                            (203) 785-6416
    Manager, Systems & Network Engineering           FAX: (203) 785-3978
    ITS-Med Production Services                   Richard.Beebe@yale.edu
    Yale University School of Medicine
    Suite 214, 100 Church Street South, New Haven, CT 06519