|[Date Prev] [Date Next]||[Thread Prev] [Thread Next]||[Date Index] [Thread Index]|
RE: [nocol-users] security problems with webnocol.cgi,genweb.pl,notifier.pl, etc.
If I may make a quick suggestion - as for tightening things up a bit for security purposes. It's always a good idea to use proven methods rather than make things up as we go. I have found that majordomo has done a pretty good job in the security arena. Of course there are always issues but overall it's not bad. Maybe you could borrow some of their strategies that seem to work pretty good. For example, their permission scheme is pretty tight. Not bullet proof but well done. My $0.02 for what it's worth. --- Steve Thrasher Technology Director, UZIX http://www.uzix.com/ Keeping the simple, simple, Making the difficult easy, and automating the near impossible. -----Original Message----- From: firstname.lastname@example.org [mailto:email@example.com]On Behalf Of Rick Beebe Sent: Tuesday, 27 March, 2001 0806 To: listSfirstname.lastname@example.org Cc: email@example.com Subject: Re: [nocol-users] security problems with webnocol.cgi,genweb.pl,notifier.pl, etc. > As far as webnocol.cgi goes, it will happily execute whatever > the subcommand field in the GET/POST request tells it to > execute! Not verifying user input is scary enough, but to > take an arbitrary command that they provide and execute it > is just plain foolhardy. No, it will only execute the subcommand if it exists in the cmdlist array. However, I will take a look at tightening things up. -- _______________________________________________________________________ Rick Beebe (203) 785-6416 Manager, Systems & Network Engineering FAX: (203) 785-3978 ITS-Med Production Services Richard.Beebe@yale.edu Yale University School of Medicine Suite 214, 100 Church Street South, New Haven, CT 06519 _______________________________________________________________________