Re: [nocol-users] security problems with webnocol.cgi, genweb.pl,notifie

[Date Prev] [Date Next]

[Thread Prev] [Thread Next]

[Date Index] [Thread Index]

Re: [nocol-users] security problems with webnocol.cgi, genweb.pl,notifier.pl, etc.

To: Rick Beebe <richard beebe at yale.edu>
Subject: Re: [nocol-users] security problems with webnocol.cgi, genweb.pl,notifier.pl, etc.
From: listS+nocol-users at niss com
Date: Mon, 26 Mar 2001 23:16:24 -0600

> 
> Are there specific security problems you've noted with webnocol.cgi or
> are you just nervous because it's not running in taint mode? genweb.pl
> and notifier.pl are only run by cron and should therefore be in your
> total control.

	I have to admit, I worry that any script which generates
	many warnings when run with -w has not been throughly
	tested.  genweb.pl and notifier.pl certainly fit the bill.
	So even if they're only being run by cron, they could be
	tightened.

	As far as webnocol.cgi goes, it will happily execute whatever
	the subcommand field in the GET/POST request tells it to
	execute! Not verifying user input is scary enough, but to
	take an arbitrary command that they provide and execute it
	is just plain foolhardy.

	The onion perspective on security applies here. If a black
	hat is able to circumvent my web server's protections and
	call webnocol.cgi unexpectedly, he should find another
	layer of protection, not a wide open entry point.

		Scott

Follow-Ups:
- Re: [nocol-users] security problems withwebnocol.cgi,genweb.pl,notifier.pl, etc.
  - From: Rick Beebe

Prev by Date: Re: [nocol-users] security problems with webnocol.cgi,genweb.pl,notifier.pl, etc.
Next by Date: Re: [nocol-users] security problems withwebnocol.cgi,genweb.pl,notifier.pl, etc.
Prev by thread: Re: [nocol-users] security problems with webnocol.cgi,genweb.pl,notifier.pl, etc.
Next by thread: Re: [nocol-users] security problems withwebnocol.cgi,genweb.pl,notifier.pl, etc.
Index(es):
- Date
- Thread