If I may make a quick suggestion - as for tightening things up a bit for
security purposes. It's always a good idea to use proven methods rather
than make things up as we go. I have found that majordomo has done a pretty
good job in the security arena. Of course there are always issues but
overall it's not bad. Maybe you could borrow some of their strategies that
seem to work pretty good. For example, their permission scheme is pretty
tight. Not bullet proof but well done.
My $0.02 for what it's worth.
---
Steve Thrasher
Technology Director, UZIX
http://www.uzix.com/
Keeping the simple, simple,
Making the difficult easy,
and automating the near impossible.
-----Original Message-----
From: owner-nocol-users@navya.com [mailto:owner-nocol-users@navya.com]On
Behalf Of Rick Beebe
Sent: Tuesday, 27 March, 2001 0806
To: listS+nocol-users@niss.com
Cc: nocol-users@navya.com
Subject: Re: [nocol-users] security problems with
webnocol.cgi,genweb.pl,notifier.pl, etc.
> As far as webnocol.cgi goes, it will happily execute whatever
> the subcommand field in the GET/POST request tells it to
> execute! Not verifying user input is scary enough, but to
> take an arbitrary command that they provide and execute it
> is just plain foolhardy.
No, it will only execute the subcommand if it exists in the cmdlist
array. However, I will take a look at tightening things up.
--
_______________________________________________________________________
Rick Beebe (203) 785-6416
Manager, Systems & Network Engineering FAX: (203) 785-3978
ITS-Med Production Services Richard.Beebe@yale.edu
Yale University School of Medicine
Suite 214, 100 Church Street South, New Haven, CT 06519
_______________________________________________________________________
|